W3C home > Mailing lists > Public > www-talk@w3.org > September to October 1996

Re: CNAMES and HTTP Authentication

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Thu, 24 Oct 96 17:16:45 EDT
Message-Id: <9610242116.AA01340@aleatory>
To: marc@ckm.ucsf.edu
Cc: www-talk@w3.org
"Marc Salomon" <marc@ckm.ucsf.edu> wrote:
  > [What happens if two DNS CNAMEs resolve to the same IP address?...]
  >
  > The user fires up the application by pointing their browser to
  > www.foo.edu:/apps/thing, authenticates and is granted authorization to proceed.
  >  An embedded link somewhere in the application points to
  > bar.foo.edu:/apps/thing.
  > 
  > When the user dereferences this link, should the browser prompt to authenticate
  > again, or should the it create an equivalence class for this IP address
  > containing of the CNAMES of which the browser is aware and send the
  > authentication data to the server?
  > 
  > In HTTP/1.0?
  > 
  > In HTTP/1.1 where the mandatory Host header forces disambiguity?

With HTTP/1.1 the two CNAMEs most certainly must be treated
separately.  If pepsi.com and coke.com resolve to the same IP address
(yes, unlikely), you wouldn't want the same authentication to work for
coke.com/secret-formula and pepsi.com/secret-formula.

IMO, HTTP/1.0 should work the same way, by name, not by IP address.

In general, note that the client may not even be able to resolve the IP
address, relying instead on a proxy to complete a connection.

Dave Kristol
Received on Thursday, 24 October 1996 17:17:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT