- From: Dave Kristol <dmk@allegra.att.com>
- Date: Wed, 16 Aug 95 17:41:50 EDT
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
401 and 411 are the response codes for failed authentication. I'm
uncertain when an origin server should respond with 411, rather than
401. Here's what I think I understand. Assume, in each case, that the
origin server requires authentication for the request.
1) Client sends no Authorization request header. Server always
responds with 401.
2) Client sends Authorization request header. Server doesn't like the
information therein.
2a) Basic scheme. At present, servers send 401 if the name:passwd
is unacceptable. Should they send 411 for HTTP/1.1? Apparently
not: the challenge is likely to be the same as the previous one,
so sending the same response is futile.
2b) Digest scheme.
2b1) The "stale" attribute says whether the problem is with the
nonce value, so the client can tell whether the server thinks
that's what the problem is. Should the server send 401 or 411 on a
stale nonce? (I'm guessing 411, although it doesn't appear to
matter.)
2b2) If the nonce is fresh, but the server rejects the authorization
information for other reasons, I'm guessing the server should
return a 401. A 411 would imply that the client could recalculate
the Authorization header from the challenge (realm and nonce), but
they may well be the same the second time, and the server would
reject it again.
So, in all cases but 2b1, the correct answer appears to be 401. For
case 2b1, 401 should work as well as 411, because the "stale" attribute
provides the equivalent information to 411. So, what is 411 for??
Dave Kristol
Received on Wednesday, 16 August 1995 14:46:45 UTC