W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 23 Oct 2009 23:46:27 +0200
Message-ID: <a9699fd20910231446k1f731e41ica68392e6721f1ca@mail.gmail.com>
To: sh@defuze.org
Cc: ietf-http-wg@w3.org
On Fri, Oct 23, 2009 at 5:57 PM, Sylvain Hellegouarch wrote:
> Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've
> been left wondering how to convey the following semantic with HTTP:
> * The request was not fulfilled due to authorization failure and the
> server (does not wish to)/(cannot) specify which scheme must be used.
> The context is based on HTTP requests issued from Javascript along with a
> cookie based authentication system.
> RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor
> can I use a 403 since subsequent Authorization would not help.
> At first I was tempted to simply use one of the 30x code to inform the
> Javascript handler that it should act accordingly but browsers don't
> bubble up 30x responses to the Javascript stack which leaves me the
> already burdened 400.
> There seemed to be a consensus two years ago not to split the
> Authorization header from its WWW-Authenticate friend but to me the
> semantic of one without the other remains.
> Today I'm merely seeking the group advice on what would be the best
> decision to make.

Help me advancing and finishing "HTTP Cookie Auth" ;-)

(this is only a matter of time I have available to work on it –much
less than I'd like–, do not see the absence of work as a giving up)

Thomas Broyer
Received on Friday, 23 October 2009 21:47:00 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:37 UTC