W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2006

Re: Caching authentication state

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 11 Mar 2006 10:31:39 -0800
Message-Id: <0DDE0408-366C-4373-B96E-D970A3B71B75@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Robert Sayre <sayrer@gmail.com>

Sometimes specs are ambiguous because what seemed obvious at the time  
is interpreted differently; other times, they're purposefully  
ambiguous, so as to not disallow future use cases or extensions. I  
was hoping that one of the original authors would give their take on  
which it was...

On 2006/03/11, at 9:12 AM, Robert Sayre wrote:

> On 3/10/06, Mark Nottingham <mnot@yahoo-inc.com> wrote:
>> RFC 2616 section 14.8 says:
>>>       If a request is
>>>       authenticated and a realm specified, the same credentials  
>>>       be valid for all other requests within this realm
>> a) Is the intent of the first SHOULD to allow credential caching
>> (e.g., similar to [1]) in intermediaries?
> My guess would be no. I think it means that the same username/password
> combination should be valid throughout the the realm. For example,
> Digest clients can send cnonce and nonce-count values, so the actual
> data sent changes with each request.
> --
> Robert Sayre

Mark Nottingham     http://www.mnot.net/
Received on Saturday, 11 March 2006 18:31:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:42 GMT