W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: WWW-Authenticate, Authorization and 401's

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 23 Aug 2007 00:27:11 +0200
To: Hugo Haas <hugo@yahoo-inc.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Stefan Eissing <stefan.eissing@greenbytes.de>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
Message-Id: <1187821631.32075.67.camel@henriknordstrom.net>

On fre, 2007-08-17 at 09:48 -0700, Hugo Haas wrote:

> As you mention, the debate seems to gravitate around whether it's OK to return 
> a 401 with "WWW-Authenticate: Foo", Foo being a scheme which does not use the 
> Authorization header to pass credentials (it's not clear to me from reading 
> the specs as I mentioned in my original email).

While it's technically OK (it's a valid 401) I would certainly not
recommend inventing such authentication methods (I would not call them
schemes in this context) which do not make use of the Authorization
header.

The HTTP protocol is sensitive to if a request carries Authorization,
and object freshness and cachability is changed considerably for
responses to such requests. Authentication methods not using the
provided framework need to account for those aspects themselves by
adding suitable Cache-Control headers (i.e. "Cache-Control: private").

Regards
Henrik
Received on Wednesday, 22 August 2007 22:27:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT