REAUTHENTICATION REQUIRED from Paul Leach on 1997-11-20 (ietf-http-wg@w3.org from October to December 1997)

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 19 Nov 1997 18:22:44 -0800
To: 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <5CEA8663F24DD111A96100805FFE6587203726@red-msg-51.dns.microsoft.com>

Suppose you use your browser, supplying some authentication to server. Then
you leave. A while later, a "bad guy" walks up to your desk, and starts
sending requests to a server. Your browser will just keep sending your
credentials in the Authorization and/or Proxy-Authorization header, so the
"bad guy" will be granted access as you.

Browsers should time out, and after a while, stop sending Authorization
and/or Proxy-Authorization header. (This isn't really simply optional UI
behavior -- it's required for security).  However, existing browsers don't.
And, different applications have different requirements in this regard.
Hence, it is necessary for servers to be able to say that their maximum idle
time has passed, and that the browser should require the user to enter their
credentials again.

Add sections 10.4.19 and 10.4.20

==============================

10.4.19 420 Reauthentication Required

This header is similar to "401 Unauthorized", except that the user agent
MUST request credentials from the user before resubmitting the request, even
if the challenge is the same as on a prior response or if the user agent has
already obtained credentials from the user. The user agent should not assume
that the current credentials are invalid if the request contained an
Authorization header. The server can use this status code to cause the
browser to verify that the current user is the same as the one who supplied
the original credentials (say, after a period of inactivity).

10.4.20 421 Proxy Reauthentication Required

This header is similar to "407 Proxy Aauthentication Required", except that
the user agent MUST request credentials from the user before resubmitting
the request, even if the challenge is the same as on a prior response or if
the user agent has already obtained credentials from the user.  The user
agent should not assume that the current credentials are invalid if the
request contained an Proxy-Authorization header. The server can use this
status code to cause the browser to verify that the current user is the same
as the one who supplied the original credentials (say, after a period of
inactivity).

==================================

After the following paragraph in section 11:
If a prior request has been authorized, the same credentials MAY be reused
for all other requests within that protection space for a period of time
determined by the authentication scheme, parameters, and/or user preference.
Unless otherwise defined by the authentication scheme, a single protection
space cannot extend outside the scope of its server.

Add:
A user agent MUST NOT reuse the same credentials if a substantial amount of
time has passed without any user activity -- for example, the current user
may have left their browser, and an unauthorized one started using it. It is
RECOMMENDED that this time not exceed one hour, and that it be configurable.

Received on Thursday, 20 November 1997 10:49:42 UTC