W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

HTTP Basic Authentication

From: Jim Flath <jim_flath@yahoo.com>
Date: Fri, 27 Feb 2004 08:35:32 -0500 (EST)
Message-ID: <20040227133456.97204.qmail@web42005.mail.yahoo.com>
To: ietf-http-wg@w3.org

I am building a system that is constructed using servlets and JSPs, I also utilize Sessionís and client cookies.  

 

I am curious if I am truly implementing Basic Authentication or a mutated version of that.  Here is the flow:

 

First request:

Client makes initial request to a secure resource.

Server finds no session data to indicate previous authentication.

Server checks header values for credentials, no credentials found, replies with a 401 status code.

Client receives 401 and prompts for credentials, receives user input and sends the authentication header data.

Server interrogates the header data and authenticates the user to the realm

Server saves user data and flags in the session to indicate that they have successfully authenticated to the realm.

Server serves up the resource.

 

Subsequent request with a valid session:

Client request to same or different secure resource within the same realm.

Session is still valid and server finds authentication flags in the session, does NOT resend 401 status code.

Server serves up the resource.

 

Subsequent request with invalid session:

Subsequent request to same or different secure resource within the same realm.

Session has been invalidated, no session data found.

Server checks header values for credentials, no credentials found, replies with a 401 status code.

Client receives 401 and sends cached credentials in the authentication header.

Server interrogates the header data and authenticates the user to the realm

Server saves user data and flags in the session to indicate that they have successfully authenticated to the realm.

Server serves up the resource.

 

Does the server need to reply with a 401 for each and every request to a secure resource within the same realm to say I am using Basic Authentication?  That type of model would seem to be inefficient. I understand that HTTP is a stateless transaction, but with the addition of sessions and cookies the entire transaction becomes stateful to a point.

 

FYI, the entire transaction is accomplished using HTTPS/SSL.

 



---------------------------------
Do you Yahoo!?
Get better spam protection with Yahoo! Mail
Received on Friday, 27 February 2004 08:47:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:27 GMT