W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: [#177] Realm required on challenges

From: Jeff Jenkins <jrj@apple.com>
Date: Tue, 7 Jul 2009 10:56:24 -0700
Message-Id: <809E17F3-88B0-4572-8FEA-BDF8ACC717D8@apple.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
On Jul 7, 2009, at 2:00 AM, Thomas Broyer wrote:

> On Tue, Jul 7, 2009 at 10:28 AM, Adrien de Croy wrote:
>>
>> I question the validity of requiring that realm be a parameter of  
>> every
>> (even new) scheme that has a challenge.
>>
>> I've never seen a browser use the realm for anything other than a  
>> label in a
>> dialog box either.
>
> Plain wrong!
>
> See http://ltgt.net/tests/http-auth-realm/
>
> I tested it in IE8, Firefox 3.5, Opera 9.64, Safari 4 and Chrome
> 3.0.191.3 (Dev channel), all on Windows.
> Only Chrome fails the test and do not ask for your credentials when
> going from Foo to Bar the first time; all others take the realm into
> account when storing the credentials for use in subsequent requests;
> realm is not just a label in a dialog box.
I agree!!

Realms do matter!  It would be a security hole to automatically apply  
credentials from realm X to realm Y.
Not all authentication protocols use realms, thus its inclusion should  
be optional.  NTLM/Negotiate authenticate a connection, and do not  
necessarily apply to what can be accessed on the server.

-- jrj

>
> -- 
> Thomas Broyer
>
Received on Tuesday, 7 July 2009 17:57:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT