Re: Proposal for two new authentication schemes...

On Tue, 7 May 1996, Rich Connamacher wrote:

> I know that this is too late in the game to become a part of HTTP 1.1, 
> but I would like to suggest the following two additions to the 
> authorization scheme, let's call them "clear" and "tagged".
> WWW-authenticate: Clear realm=foo

Something with the functionality of the "Clear" parameter you suggest is
a good idea.  I am not sure that the realm should be specifiable though
-- only the current realm should work.  

The syntax could be worked out, but this is much needed functionality.
There are various reasons the server might need to tell the client
to clear the authentication data and go back to the user for the 
username/password on the *next* request to this realm.  Presumably any
client cached data from this realm should also be removed.

You mention the case of sensitive accessed on machines with multiple
users, but there are other scenarios also. For example, I would like
a server to be able to redirect to another document on authentication
failure.  This is not currently possible, however, because a user who
is entitled to access but mistypes his password will get the redirection
too and since the client believes access has succeeded it will never
allow the user to re-enter the password until the client software has
been restarted.

John Franks 	Dept of Math. Northwestern University

Received on Tuesday, 7 May 1996 09:39:48 UTC