W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 24 Jul 2011 14:31:02 -0400
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <CFBF6FC4-5E17-40A5-A10F-FDCB8B053BAF@mnot.net>
To: Willy Tarreau <w@1wt.eu>

On 24/07/2011, at 2:11 PM, Willy Tarreau wrote:

> On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>> 
>> Proposal:
>> 
>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
> 
> Does this mean it's only for other 4xx or for any status ? It might have
> implications with non-idempotent requests if a client can repost a request
> that led to a 200 for instance.

Any status. Good point about non-idempotent requests; we'll need to make clear it's not about automatically retrying requests, but instead that sending the same request with credentials might have a different affect.


>> and,
>> 
>> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.
> 
> This looks important indeed !
> 
> Willy

--
Mark Nottingham   http://www.mnot.net/
Received on Sunday, 24 July 2011 18:31:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT