Basic Authentication behavior from John Franks on 1997-09-02 (ietf-http-wg@w3.org from July to September 1997)

From: John Franks <john@math.nwu.edu>
Date: Tue, 2 Sep 1997 13:16:13 -0500 (CDT)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.96.970902125256.11487A-100000@hopf.math.nwu.edu>

I have observed the following behavior from a poplular browser
using Basic authentication.

The server has a directory /dir protected by Basic auth and
using realm "realm1".  There is a subdirectory /dir/sub/ which
is also protected by Basic auth but with a different realm and
different user/password data base.

If the user first requests http://host/dir/foo then he/she is prompted
for a username/password pair and that is used to access the file.  If
the user then requests http://host/dir/sub/foo2 the browser does not
prompt the user and sends the request with the previously entered
username/password even though the realm for the subdirectory is
different.

My first reaction was that this behavior is not consistent with
the specification which says,

  "The realm value (case-sensitive), in combination with the canonical
  root URL (see section 5.1.2) of the server being accessed, defines the
  protection space. These realms allow the protected resources on a
  server to be partitioned into a set of protection spaces, each with
  its own authentication scheme and/or authorization database."

But upon reflection, I am not so sure.  Here are some points to
consider:

When the browser requests /dir/sub/foo2 it essentially is *guessing*
the username/password pair.  At this point it has no way of knowing
that the realm is different.  The guess usually will be right.  A
successful guess will eliminate a round trip exchange of challenge and
response.  On the other hand the server has no way of knowing that
the client is using a different realm so it can only try the username
and password with the realm2 data base.  This would normally fail
and I am not sure if there would be any adverse effects beyond 
extra load on the server and confusing server logs with a great many
authentication failures.

For the browser in question, when the subdirectory authentication fails
the user gets a failure message and an opportunity to retry.  At this
point the browser knows the realms are different, so at least the
failure message is a bug (IMHO).

Any thoughts on this?  Should the specifcation discourage this type
of password guessing?

John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

Received on Tuesday, 2 September 1997 11:36:35 UTC