- From: Brian Behlendorf <brian@wired.com>
- Date: Tue, 20 Dec 1994 04:59:14 -0800 (PST)
- To: Dave Raggett <dsr@hplb.hpl.hp.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 20 Dec 1994, Dave Raggett wrote: > Brian Behlendorf discussed the need for user authentication and realms. He > wants to be able to distinguish accesses to a given machine according to the > alias used for the host name, and advocates using the full URL in the GET > request. Just to correct history - I brought up as issues (since I didn't see them addresses directly as issues to be considered for 1.1 or -NG) that 1) We have some way to allow servers to express "your password is not only good here, but at these other servers/directories, so give it a try automatically when you go there". There were a few bits of email here about it a few weeks ago but I just didn't want it to go unnoticed as I and others consider it important, even as we ditch basic authentication and go towards MD5 signatures or whatever. 2) Having the GET request be changed to the full URL would be horrible non-backwards-compatible :) I suggested adding a header in the client request so foo.com, when CNAME'd by bar.com, knows to return bar.com's home page rather than foo.com's. Yes, vanity domain names are a scourge on the net and all that, but the alternative is to burn up IP numbers for the same effect. Something like Request-URI: http://bar.com/ or Host-requested: bar.com I don't know of a slick warm fuzzy solution short of a new header. Brian
Received on Tuesday, 20 December 1994 05:00:49 UTC