Stefan Eissing wrote: > Ilya, > > Am Dienstag den, 17. September 2002, um 01:35, schrieb Ilya Kirnos: > > > > > Clients currently have no reliable means of forcing the server to > > authenticate them (they can try to preemptively send credentials, but > > this works only for basic auth, not for digest). This can lead to > > situations where the client finds out that it was required to > > authenticate too late and only after doing lots of work, such as when > > putting a large file only to get a 401 back at the end of the transfer. > > A bad user experience, agreed. > > However it would be more elegant if the client could send > the request without the server executing it and checking thus > the authentication for the specific method call. That would also > give any intermediates, like proxies, a chance to determine if > they need any authorization. > > My idea would be to use the IF header for this purpose. A client > can send a request with an invalid lock token in the IF header. > The server, being DAV-compliant, will never execute the request. > > Now this solution depends on the order of authentication vs. IF > header check. Therefore my proposal depends on > > - does every known server check authentication before lock tokens? > - could 2518bis say something like: "All user authentication SHOULD > take place before other request headers like IF are processed."? > i'm not sure this would work, since DAV servers don't even have to support locking to be compliant. -ilyaReceived on Tuesday, 17 September 2002 15:19:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT