W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 25 Jul 2011 13:29:30 +1200
Message-ID: <4E2CC6FA.3020207@qbik.com>
To: Mark Nottingham <mnot@mnot.net>
CC: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>

On 25/07/2011 6:31 a.m., Mark Nottingham wrote:
> On 24/07/2011, at 2:11 PM, Willy Tarreau wrote:
>> On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote:
>>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>>> Proposal:
>>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
>> Does this mean it's only for other 4xx or for any status ? It might have
>> implications with non-idempotent requests if a client can repost a request
>> that led to a 200 for instance.
> Any status. Good point about non-idempotent requests; we'll need to make clear it's not about automatically retrying requests, but instead that sending the same request with credentials might have a different affect.

isn't this redundant?

I see requests with credentials all the time, when no previous 
WWW-Authorize had been sent in any response.

So clients are already taking any liberties they like to send 
credentials when they please.  I don't know that it adds anything to 
HTTP to explicitly tell them they may do this in protocol.  They are 
doing it anyway.

Otherwise are we going to prohibit the sending of creds when no 
WWW-Authorize had been sent?

Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Monday, 25 July 2011 01:30:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC