W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

RE: Redirection MUST NOTs

From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Date: Wed, 5 Nov 2003 17:06:43 +0100
To: "'Mark Baker'" <distobj@acm.org>
Cc: "'WWW WG'" <ietf-http-wg@w3.org>
Message-Id: <20031105160556.8747F1368E@dr-nick.w3.org>

If one requests this URL:

The user agent should already be aware that it better uses auth2. It is
already given in the URI. Redirection would actually be a waste of time.
Auth1 could (transpart for the user) handle authentication by internally
forwarding it to auth2.
Load balancing could be done after authentication or using clustering.

This is the exact example I'm worries about, because (authentication)
information could be send all over the Internet, when redirection is
allowed.

- Joris

> -----Original Message-----
> From: Mark Baker [mailto:distobj@acm.org] 
> Sent: Wednesday, 5 November 2003 3:04
> To: Joris Dobbelsteen
> Cc: WWW WG
> Subject: Re: Redirection MUST NOTs
> 
> On Tue, Nov 04, 2003 at 10:44:26PM +0100, Joris Dobbelsteen wrote:
> > Still, I'm interested in a (practical) sitiation where one needs to 
> > redirect a non-GET/HEAD request?
> 
> When the user agent trusts the server as it would a proxy, e.g.
> 
> POST 
> http://auth1.example.org/proxy?uri=http://auth2.example.org/so
> me-path/ HTTP/1.1
> Host: auth1.example.org
> ...
> 
> There, the server is providing proxy-like capabilities, but 
> in gateway form.
> 
> Mark.
> -- 
> Mark Baker.   Ottawa, Ontario, CANADA.        http://www.markbaker.ca
> 
Received on Wednesday, 5 November 2003 11:05:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:25 GMT