- From: Rich Connamacher <phantom@baymoo.sfsu.edu>
- Date: Tue, 7 May 1996 06:25:49 -0700 (PDT)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I know that this is too late in the game to become a part of HTTP 1.1, but I would like to suggest the following two additions to the authorization scheme, let's call them "clear" and "tagged". WWW-authenticate: Clear realm=foo this means that, within the realm foo, the client should stop sending any authentication credentials. Without this, the client will keep bundling the username and password with each request, even when it is no longer needed, which could pose a threat in lab settings where one computer is controlled by several users, and it would take too long to reboot the brouser between sessions. This would allow the server to instruct the client on when an authenticated session should end. Another addition to the authentication scheme I would like to see would be for an invisible tagging of a password with each request, to make it easier for the server to keep track of individual guest users who don't have a username and password. It would work like the following: WWW-authenticate: Tagged realm=foo,authentication=bar then, the client should, within the realm foo, use 'bar' as its authorization credentials. I have been working with HTTP for a little over a year now, develping servers to work with almost entirely non-static content, much of which is generated on the fly. This includes webbed confrencing systems, simple database searches, mail systems, and a general purpose server. These are two additions to the authorization scheme that I constantly find myself coming back to and wishing I had at my disposal. Thank-you. Richard
Received on Tuesday, 7 May 1996 06:41:31 UTC