- From: Dave Kristol <dmk@allegra.att.com>
- Date: Thu, 17 Aug 95 14:19:25 EDT
- To: fielding@beach.w3.org
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Roy Fielding <fielding@beach.w3.org> wrote: > >[Dave Kristol wrote:] > >2) Client sends Authorization request header. Server doesn't like the > >information therein. > > > > 2a) Basic scheme. At present, servers send 401 if the name:passwd > > is unacceptable. > > Are you sure? I thought they sent 403 in this case. NCSA sends 401. That's also what my server does. 403, according to the draft, means "Authorization will not help", so that's wrong. > > > Should they send 411 for HTTP/1.1? > > Yes, but only if they want to include information about how the > user can correct the situation. Do you mean "include" as part of WWW-Authenticate, or as part of an entity. I would be leery of the latter, for the same reason that the Unix login program doesn't tell you what went wrong: you don't want to say whether it was a bad user-id, a bad password, or other. > > > Apparently > > not: the challenge is likely to be the same as the previous one, > > so sending the same response is futile. > > "likely to be the same" is not a strong statement. Well, for Basic there's really no choice to the challenge, is there? So the challenge will certainly be the same. > > > 2b) Digest scheme. > > 2b1) The "stale" attribute says whether the problem is with the > > nonce value, so the client can tell whether the server thinks > > that's what the problem is. Should the server send 401 or 411 on a > > stale nonce? (I'm guessing 411, although it doesn't appear to > > matter.) > > 411 (I was assuming that 401 is only sent when the request had no > Authorization field at all). > > > 2b2) If the nonce is fresh, but the server rejects the authorization > > information for other reasons, I'm guessing the server should > > return a 401. A 411 would imply that the client could recalculate > > the Authorization header from the challenge (realm and nonce), but > > they may well be the same the second time, and the server would > > reject it again. > > 411 if the server wants to give them another chance, 403 otherwise. As I said above, 403 is the wrong response, according to the words in the draft (v10-spec-01). > The description of 411 states that: > > The response must include a WWW-Authenticate header field > (Section 8.30) containing a challenge applicable to the requested > resource. If the challenge is different from that assumed by the > last request, the client may repeat the request with a suitable > Authorization header field after obtaining the user's approval. > > Should that be "If and only if"? If you said that, you would preclude the server's returning the same challenge and letting the client have another guess at the correct value. Then again, if that happened, the user could try the same link again, the client would send no Authorization header, the server would return a challenge, and the user could try again. > > On the other hand, we could just use 401 for both, but I was told > earlier (on the list) that the 411 semantics were needed. That's why I asked for clarification. My gut tells me there's a use for 411, but I don't see it yet. Dave Kristol
Received on Thursday, 17 August 1995 11:30:21 UTC