W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 23 Oct 2009 23:46:27 +0200
Message-ID: <a9699fd20910231446k1f731e41ica68392e6721f1ca@mail.gmail.com>
To: sh@defuze.org
Cc: ietf-http-wg@w3.org
On Fri, Oct 23, 2009 at 5:57 PM, Sylvain Hellegouarch wrote:
>
> Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've
> been left wondering how to convey the following semantic with HTTP:
>
> * The request was not fulfilled due to authorization failure and the
> server (does not wish to)/(cannot) specify which scheme must be used.
>
> The context is based on HTTP requests issued from Javascript along with a
> cookie based authentication system.
>
> RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor
> can I use a 403 since subsequent Authorization would not help.
>
> At first I was tempted to simply use one of the 30x code to inform the
> Javascript handler that it should act accordingly but browsers don't
> bubble up 30x responses to the Javascript stack which leaves me the
> already burdened 400.
>
> There seemed to be a consensus two years ago not to split the
> Authorization header from its WWW-Authenticate friend but to me the
> semantic of one without the other remains.
>
> Today I'm merely seeking the group advice on what would be the best
> decision to make.

Help me advancing and finishing "HTTP Cookie Auth" ;-)
http://tools.ietf.org/html/draft-broyer-http-cookie-auth
http://hg.ltgt.net/http-cookie-auth/

(this is only a matter of time I have available to work on it –much
less than I'd like–, do not see the absence of work as a giving up)

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/
Received on Friday, 23 October 2009 21:47:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:12 GMT