Re: Basic Authentication behavior

Ari Luotonen <> wrote:
>Regarding "heuristics" and "guessing" with authentication.
>I believe I wrote the original proposal and spec for basic auth used
>in HTTP.  I would like to make the point that the intention was that
>HTTP basic authentication be hierarchical, and that the rules not be
>heuristics, but simply the way it is defined.  If the request for:
>	http://.../foo/bar
>requires authentication, then the U-A will assume that all documents
>starting with the prefix:
>	http://.../foo/
>will require it.  It applies to the entire subtree, e.g:
>	http://.../foo/baz/xyzzy/hello/world
>Similarly, any document in the server's root directory:
>	http://.../foo
>requiring authentication will imply that the whole server is
>password-protected, including the index file and any files and
>	http://.../
>	http://.../bar

	Is it also the case that proxy authentication, originally
implemented by the Netscape server, has a "template" of "*", i.e.,
that the same encoded username and password, once establish for a
first request, should be used for all subsequent requests via that


 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545

Received on Monday, 8 September 1997 12:26:10 UTC