W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Sylvain Hellegouarch <sh@defuze.org>
Date: Sat, 24 Oct 2009 15:17:43 +0200
Message-ID: <4AE2FE77.7060309@defuze.org>
To: Thomas Broyer <t.broyer@gmail.com>
CC: ietf-http-wg@w3.org
Thomas Broyer a écrit :
> On Fri, Oct 23, 2009 at 5:57 PM, Sylvain Hellegouarch wrote:
>   
>> Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've
>> been left wondering how to convey the following semantic with HTTP:
>>
>> * The request was not fulfilled due to authorization failure and the
>> server (does not wish to)/(cannot) specify which scheme must be used.
>>
>> The context is based on HTTP requests issued from Javascript along with a
>> cookie based authentication system.
>>
>> RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor
>> can I use a 403 since subsequent Authorization would not help.
>>
>> At first I was tempted to simply use one of the 30x code to inform the
>> Javascript handler that it should act accordingly but browsers don't
>> bubble up 30x responses to the Javascript stack which leaves me the
>> already burdened 400.
>>
>> There seemed to be a consensus two years ago not to split the
>> Authorization header from its WWW-Authenticate friend but to me the
>> semantic of one without the other remains.
>>
>> Today I'm merely seeking the group advice on what would be the best
>> decision to make.
>>     
>
> Help me advancing and finishing "HTTP Cookie Auth" ;-)
> http://tools.ietf.org/html/draft-broyer-http-cookie-auth
> http://hg.ltgt.net/http-cookie-auth/
>
> (this is only a matter of time I have available to work on it –much
> less than I'd like–, do not see the absence of work as a giving up)
>
>   
Hi Thomas,

This is indeed a good starting point. I went through your proposal and 
I'm a bit unclear about the actual end-to-end workflow performed by the 
UA. I'm not sure to understand how the different directives would be 
applied.

- Sylvain
Received on Saturday, 24 October 2009 13:18:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:12 GMT