Hi, over on the what wg list, the topic of how to implement a site that offers both authenticated and anonymous access is being discussed (see around <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html>). An interesting proposal is to continue returning content with status 200, but to include the WWW-Authenticate header nevertheless. RFC2616 currently is silent about this combination: "14.47 WWW-Authenticate The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI. WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" [43]. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters." -- <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47> Has anybody tried this before? BR, JulianReceived on Thursday, 27 November 2008 18:52:43 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:34 GMT