Re: Basic Authentication behavior

John Franks wrote:
> I have observed the following behavior from a poplular browser
> using Basic authentication.
> 
> The server has a directory /dir protected by Basic auth and
> using realm "realm1".  There is a subdirectory /dir/sub/ which
> is also protected by Basic auth but with a different realm and
> different user/password data base.
> 
> If the user first requests http://host/dir/foo then he/she is prompted
> for a username/password pair and that is used to access the file.  If
> the user then requests http://host/dir/sub/foo2 the browser does not
> prompt the user and sends the request with the previously entered
> username/password even though the realm for the subdirectory is
> different.
> 
> ......
> 
> Any thoughts on this?  Should the specifcation discourage this type
> of password guessing?

This would defeat some of the benefit of guessing when to use the
password, and automatically sending it without getting a challenge
first.  It would be unfortunate if every time when entering a new
directory, the server would have to challenge the user and waste an
extra request/response.

I think that the client's behaviour is desirable, and rather than
discouraging this behaviour (which saves an extra request), I would
add verbiage into the spec that explains that that's how it works, why
it works like that, and that the user should be prepared to deal with
it.

Furthermore, if the password databases are really different on those
two realms, the server will simply reject the username/password that
was automatically sent, and re-issue a challenge.  If the password
database is the same then the point is moot, because the user wouldn't
have to see the realm anyway.

Cheers,
--
Ari Luotonen, Mail-Stop MV-061		Opinions my own, not Netscape's.
Netscape Communications Corp.		ari@netscape.com
501 East Middlefield Road		http://people.netscape.com/ari/
Mountain View, CA 94043, USA		Netscape Proxy Server Development

Received on Tuesday, 2 September 1997 12:14:36 UTC