W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 26 Jul 2011 15:45:15 -0400
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <F49D3F37-FC08-4C8D-8565-2A2677217387@mnot.net>
To: Julian Reschke <julian.reschke@gmx.de> 
Nice text; +1.

On 26/07/2011, at 3:29 PM, Julian Reschke wrote:
> Or even....:
> 
> "The credentials carried in an Authorization header field are specific to the User Agent, and therefore have the same effect on HTTP caches as the "private" Cache-Control response directive, within the scope of the
> request they appear in.
> 
> Therefore, new authentication schemes which choose not to carry credentials in the Authorization header (e.g., using a newly defined
> header) will need to explicitly disallow caching, by mandating the use of either Cache-Control request directives (e.g., "no-store") or response directives (e.g., "private")."

--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 26 July 2011 19:45:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT