W3C home > Mailing lists > Public > www-talk@w3.org > September to October 1996

CNAMES and HTTP Authentication

From: Marc Salomon <marc@ckm.ucsf.edu>
Date: Thu, 24 Oct 1996 12:58:33 -0700
Message-Id: <9610241258.ZM13146@gaia.ckm.ucsf.edu>
To: www-talk@w3.org

I ran into an interesting condition today and was wondering what people thought
about what proper behavior should be.

Assume that we have one machine known by a number of CNAMEs.  Say that an
 application that lives somewhere in the heirarchy has been "protected" with
BASIC authentication.  www.foo.edu:/apps/thing and bar.foo.edu:/apps/thing
refer to the same resource.  For the point of illustration, assume that the
people designing the application don't know of relative URL's or the BASE tag,
and they hard-wire an absolute URL into the application.

The user fires up the application by pointing their browser to
www.foo.edu:/apps/thing, authenticates and is granted authorization to proceed.
 An embedded link somewhere in the application points to
bar.foo.edu:/apps/thing.

When the user dereferences this link, should the browser prompt to authenticate
again, or should the it create an equivalence class for this IP address
containing of the CNAMES of which the browser is aware and send the
authentication data to the server?

In HTTP/1.0?

In HTTP/1.1 where the mandatory Host header forces disambiguity?

-marc

-- 
Received on Thursday, 24 October 1996 15:57:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT