RE: REAUTHENTICATION REQUIRED from Paul Leach on 1997-11-20 (ietf-http-wg@w3.org from October to December 1997)

From: Paul Leach <paulle@microsoft.com>
Date: Thu, 20 Nov 1997 14:02:48 -0800
To: 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'Jim Gettys' <jg@w3.org>
Message-Id: <5CEA8663F24DD111A96100805FFE6587203764@red-msg-51.dns.microsoft.com>

Based on feedback, and the epiphany that screen savers do the same thing as
I proposed the browser do, I withdraw the proposed modification to section
11. Something like it should go in the security considerations section --
Jim, can you mark it as an editorial issue, not for this revision?

I also added text about an error message, and what happens with browsers
that don't understand the new status code.

Revised proposal:

> Add sections 10.4.19 and 10.4.20
> 
> ==============================
> 
> 10.4.19 420 Reauthentication Required
> 
> This header is similar to "401 Unauthorized", except that the user agent
> MUST request credentials from the user before resubmitting the request,
> even
> if the challenge is the same as on a prior response or if the user agent
> has
> already obtained credentials from the user. The user agent should not
> assume
> that the current credentials are invalid if the request contained an
> Authorization header. The server can use this status code to cause the
> browser to verify that the current user is the same as the one who
> supplied
> the original credentials (say, after a period of inactivity). The server
> SHOULD send an entity-body
explaining the reason for requiring reauthentication, because user agents
that do not understand the status code will treat it as a generic 400 error
and display
the message.

> 10.4.20 421 Proxy Reauthentication Required
> 
> This header is similar to "407 Proxy Aauthentication Required", except
> that
> the user agent MUST request credentials from the user before resubmitting
> the request, even if the challenge is the same as on a prior response or
> if
> the user agent has already obtained credentials from the user.  The user
> agent should not assume that the current credentials are invalid if the
> request contained an Proxy-Authorization header. The server can use this
> status code to cause the browser to verify that the current user is the
> same
> as the one who supplied the original credentials (say, after a period of
> inactivity). The server SHOULD send an entity-body
> explaining the reason for requiring reauthentication, because user agents
> that do not understand the status code will treat it as a generic 400
> error and display
> the message.
> 
> 
> ==================================
>

Received on Thursday, 20 November 1997 14:05:35 UTC