Re: REAUTHENTICATION REQUIRED from Scott Lawrence on 1997-11-24 (ietf-http-wg@w3.org from October to December 1997)

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 24 Nov 1997 16:09:24 -0500
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199711242109.QAA18613@devnix.agranat.com>

>>>>> "DWM" == David W Morris <dwm@xpasc.com> writes:

DWM> 2. However, it is incomplete.  W/o a corresponding mechanism, there is
DWM>    no practical way for a server or proxy to know when the proposed
DWM>    420/421 reauthentication should be requested.

DWM> So, the timeout concept must be included, with the server providing the
DWM> timeout. At least optionally, the timeout should be specified as an
DWM> idle period, and not absolute value. That is, if the credential isn't
DWM> used (sent) within X seconds, it must be discarded.

  I'm not sure that I understand this comment.  The discussion of a
  timeout in the proposed addition was strictly an example of the use
  of this code, not a part of the definition of its function.

DWM> Secondly, an additonal mechanism is required to allow the server to
DWM> force flushing of credentials w/o the implication of an immediate user
DWM> prompt. In many applications, there is an explicit notion of logoff.
DWM> Some form of response header to say flush credentials. Might be as
DWM> simple as the challenge header with a 2xx response to mean this is
DWM> a valid response but a new user interaction is required before sending
DWM> credentials to the server.

  This is an excellent suggestion.  I put forward the following
  suggested wording.

   2xx Discard Credentials

     This status indicates that the request succeeded, but that the user
     credentials used to construct the Authorization header field for the
     request MUST be discarded.  This allows web based applications to
     implement a 'logout' function.  The body of the response should
     in all other ways be treated as though the response code were
     '200 Ok'.

  This is completely backward compatible, since clients that don't
  understand it should already just treat it as a 200, they just won't
  discard cached credentials, which is the current situation anyway.

  Yes - users can just walk away without using an offered 'logout'
  function, but in my view that is no reason not to provide the
  capability.  I've been getting 2 or 3 pieces of email a week for
  the last couple of months from developers trying to figure out how
  to do this, and I haven't had any answer for them.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Received on Monday, 24 November 1997 13:10:49 UTC