W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: best status code for bad auth method

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 10 Dec 2011 12:43:53 +1100
Cc: Daniel Stenberg <daniel@haxx.se>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <7B3F25C6-F661-4ED6-847F-3317B2B028D9@mnot.net>
To: Adrien de Croy <adrien@qbik.com>
If we created a new status code to address every brain-dead client behaviour, we'd fast run out.

Regards,


On 09/12/2011, at 6:54 PM, Adrien de Croy wrote:

> 
> my gut tells me responding with a 407 is more likely to result in request looping.
> 
> 403 shuts it down (or should).
> 
> browser behaviour when you send a 407 back when a client considers auth should be complete, results in the browser popping a login dialog.
> 
> But since there are few browsers, and I'm pretty sure they all honour the advertised methods, we won't see this - just headless agents.
> 
> Maybe we need a new status code...
> 
> 
> On 9/12/2011 8:47 p.m., Daniel Stenberg wrote:
>> On Fri, 9 Dec 2011, Adrien de Croy wrote:
>> 
>>> 407 also implicitly says try again, whereas 403 says don't... so I'm leaning towards the 403.
>>> 
>>> I guess the number of web browsers this will affect is about 0... so only un-manned applications will see this
>> 
>> Surely 407 is already in wide use for this? I would expect many proxies to just not care about non-supported auth methods and since it didn't find a correct auth header, it would respond with a 407.
>> 
>> And in regards to it saying the client should try again, I consider it similar to sending an auth header with bad credentials compared to no credentials. The client must know what it did before when it gets a 407 back, and then change it accordingly before it tries again.
>> 
> 
> -- 
> Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Saturday, 10 December 2011 01:44:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:50 GMT