- From: John Franks <john@math.nwu.edu>
- Date: Tue, 7 May 1996 11:31:19 -0500 (CDT)
- To: Rich Connamacher <phantom@baymoo.sfsu.edu>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 7 May 1996, Rich Connamacher wrote: > I know that this is too late in the game to become a part of HTTP 1.1, > but I would like to suggest the following two additions to the > authorization scheme, let's call them "clear" and "tagged". > > WWW-authenticate: Clear realm=foo > Something with the functionality of the "Clear" parameter you suggest is a good idea. I am not sure that the realm should be specifiable though -- only the current realm should work. The syntax could be worked out, but this is much needed functionality. There are various reasons the server might need to tell the client to clear the authentication data and go back to the user for the username/password on the *next* request to this realm. Presumably any client cached data from this realm should also be removed. You mention the case of sensitive accessed on machines with multiple users, but there are other scenarios also. For example, I would like a server to be able to redirect to another document on authentication failure. This is not currently possible, however, because a user who is entitled to access but mistypes his password will get the redirection too and since the client believes access has succeeded it will never allow the user to re-enter the password until the client software has been restarted. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Tuesday, 7 May 1996 09:39:48 UTC