W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 1 Feb 2008 15:17:15 -0800
Message-Id: <D66FE2B1-768D-4599-8C1E-51188E3C8778@gbiv.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, HTTP Working Group <ietf-http-wg@w3.org>
To: Paul Leach <paulle@windows.microsoft.com>

On Feb 1, 2008, at 2:39 PM, Paul Leach wrote:
> [Paul Leach] Are you taking into account that, after an FBA,  
> subsequent requests to the same site are authorized by a cookie  
> (i.e., they have no auth headers at all), whereas with Basic every  
> request has an auth header?

It doesn't make any difference either way.  The notion that  
authenticated
HTTP requests are almost entirely based on FBA is absurd.  It ignores  
the
fact that most HTTP requests aren't even made by browsers.

....Roy
Received on Friday, 1 February 2008 23:17:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT