W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: best status code for bad auth method

From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 9 Dec 2011 08:47:56 +0100 (CET)
To: Adrien de Croy <adrien@qbik.com>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.DEB.2.00.1112090845180.9345@tvnag.unkk.fr>
On Fri, 9 Dec 2011, Adrien de Croy wrote:

> 407 also implicitly says try again, whereas 403 says don't... so I'm leaning 
> towards the 403.
>
> I guess the number of web browsers this will affect is about 0... so only 
> un-manned applications will see this

Surely 407 is already in wide use for this? I would expect many proxies to 
just not care about non-supported auth methods and since it didn't find a 
correct auth header, it would respond with a 407.

And in regards to it saying the client should try again, I consider it similar 
to sending an auth header with bad credentials compared to no credentials. The 
client must know what it did before when it gets a 407 back, and then change 
it accordingly before it tries again.

-- 

  / daniel.haxx.se
Received on Friday, 9 December 2011 07:48:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:50 GMT