W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 18] no record of consensus for force-authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 29 Oct 2005 10:22:57 +0200
Message-ID: <43633161.9010102@gmx.de>
To: Lisa Dusseault <lisa@osafoundation.org>
CC: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>, webdav <w3c-dist-auth@w3.org>

Lisa Dusseault wrote:
> No it's not just for LOCK and PUT -- a client doing read-only requests 
> (like PROPFIND) might see different results depending on whether or not 
> they're authenticated. Some of the resources in a collection might be 
> publicly readable (so the PROPFIND can succeed if anonymous) but others 
> be hidden to unauthenticated users.

But you could still use LOCK to enforce authentication, right?

> More generally, it's not actually a WebDAV problem alone. If a client 
> does a GET to a dynamically generated page, they could easily see 
> different results based on whether they're authenticated or not. Since 
> browsers today often cache authentication information, this means that 
> the browser could inform the server that they'd like the challenge to 
> save the user the step of first going to the site, seeing the anonymous 
> page version, then choosing to login. Of course some sites use cookies 
> for this but cookies are sometimes disabled, expired, etc.

In which case I would recommend to

- update Jim's description of the problem accordingly and

- do this in a separate draft, optimally discussed on the HTTP WG's 
mailing list.

Best regards, Julian
Received on Saturday, 29 October 2005 08:23:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT