- From: Josh Cohen <joshco@microsoft.com>
- Date: Fri, 23 Jan 1998 00:52:04 -0800
- To: "'ietf-http-ext@w3.org'" <ietf-http-ext@w3.org>
Reauthenticarion required revisited. I'm not sure if this should really go to http-wg or http-ext, so I ll post it here, and if it comes to a consensus, we can think about bringing it to the wg for 1.1... The big problem I saw with the reauth required is that while the server can advise the client to ask the user for credentials again, there is no way for the server to be sure that the client really behaved and didnt just say "yeah, whatever" and send cached creds. I propose a more generalized method of affecting this problem. In english, what Id like to see go on is this: Client is surfing along, and comes to URL A. URLA is a script which performs an action. for this example, that action is "grab a coke from the fridge" 1. Client requests a coke 2. server replies: go ask your mother first. 3. client asks mom "can I have a coke" 4. client repeats the request and along with the request says: "I did what you asked, mom says OK" 5. server hands out a coke. What Im looking at is not to verify that mom was actually asked, but the client claims that it took action. In http terms: (As usual, excuse my bnf ) Introduce a new response header action-request: action-request ":" ActionID "," "type" "=" value ActionID = OpaqueString value = "AUTH" | "EXEC" | "ECHO" AUTH means reaquire the credentials for the realm used on this request EXEC means "execute" the content body, which presumably is a script, ie javascript ECHO perform no action, just echo the ActionID in the next request to this URI When this header is received with the 4xx code above, the client should immediately perform the action indicated and try the request again. (exact same request except for inclusion of the action-reply header) When received with a 200, and ECHO as the action, simply send the actionID with action-reply for the next request to the same URI only. Introduce a new request header action-reply: action-reply ":" ActionID When re-sending a request due to 4xx preAction required, include the ActionID to indicate acknowledgement. Introduce response code 4xx preAction required this response code must have an action-request header. --- Essentially this is a server to client request acknowledgement system. The case in point for us is for a POST with a CGI where the CGI wants the browser to go do something, like reauth then repeat the same request. This is needed because without it, the best we could hope for was a redirect to itself (which the browsers today are smart enough to not do), or use a meta refresh (which would cause repost data? to pop up). I beleive that in this case reposting the data is ok without user intervention because the POST action is declared to not complete, and the server is instructing the client to "retry" the request. When using this the CGI must not carry out the POST when returning the 4xx code. --- Your comments?
Received on Friday, 23 January 1998 03:52:25 UTC