Re: Basic Authentication behavior from Scott Lawrence on 1997-09-08 (ietf-http-wg@w3.org from July to September 1997)

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 08 Sep 1997 09:22:19 -0400
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199709081322.JAA01379@devnix.agranat.com>

>>>>> Scott Lawrence <lawrence@agranat.com> wrote:

SDL> It has been our observation that most browsers handle multiple
SDL> realms in the same server poorly; once they have established a set
SDL> of credentials for a given server, they will always send that set
SDL> until it fails.  If the failure presents a new realm, most browsers
SDL> forget the credentials for the first realm.

>>>>> "FM" == Foteos Macrides <MACRIDES@SCI.WFBR.EDU> writes:

FM> I'm a bit concerned that the logic you (and John, and Jim)
FM> are bringing to this issue, and reflected in your "event" test, may
FM> be on the verge of creating a post hoc logic versus current practice
FM> pickle, homologous to that for redirection.

FM> It is classic libwww behavior to guess a template for a Basic
FM> realm, and that is current practice for software which has it as a
FM> heritage.

  I evidently didn't make clear what I was objecting to; I don't have
  any problem with the behaviour you describe for libwww in terms of
  guessing the protection space; in fact, I don't have any problem
  with the client sending the realm credentials on any request to a
  new URL in the same server until they are refused (regardless of
  hierarchy - I prefer not to get too hung up on the URL space as a
  tree).

  Here is the case I have a problem with (removing headers not
  relevant to this discussion):

  First request - no credentials supplied:

    > GET http://server/demo.html HTTP/1.1

    < HTTP/1.1 401 Unauthorized
    < WWW-Authenticate: Basic realm="Demonstration"

  Second request, same URL with credentials:

    > GET http://server/demo.html HTTP/1.1
    > Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    < HTTP/1.1 200 OK

  Third request - a new URL, client sends same credentials (same
  server, so I think this is ok, some would say they shouldn't be sent
  unless the path had a common root - not my current point).
  Server returns a new realm value:

    > GET http://server/other.html HTTP/1.1
    > Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    < HTTP/1.1 401 Unauthorized
    < WWW-Authenticate: Basic realm="Different"

  Fourth request - establish good credentials for the 'Different'
  realm:

    > GET http://server/other.html HTTP/1.1
    > Authorization: Basic QWxhZGRpbjpvcGXXXXXXXQ==

    < HTTP/1.1 200 OK

  Now the user returns to the original URL: (http://server/demo.html),
  which the client learned in the first request was in realm
  'Demonstration'.  Clients we have tested will have forgotten this
  and send the credentials for realm 'Different', and when they get
  the 401 response will reprompt the user for the 'Demonstration'
  realm again.

--
Scott Lawrence           EmWeb Embedded Server      <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Received on Monday, 8 September 1997 06:26:37 UTC