RE: Redirection MUST NOTs

On Wed, 5 Nov 2003, Joris Dobbelsteen wrote:

>
> If one requests this URL:
>
> The user agent should already be aware that it better uses auth2. It is

There is no valid way that the user agent would be aware and allowed to
act on a URL parameter value which happens to be a URL/URI for some
other resource.

> already given in the URI. Redirection would actually be a waste of time.
> Auth1 could (transpart for the user) handle authentication by internally
> forwarding it to auth2.
> Load balancing could be done after authentication or using clustering.
>
> This is the exact example I'm worries about, because (authentication)
> information could be send all over the Internet, when redirection is
> allowed.
>
> - Joris
>
> > -----Original Message-----
> > From: Mark Baker [mailto:distobj@acm.org]
> > Sent: Wednesday, 5 November 2003 3:04
> > To: Joris Dobbelsteen
> > Cc: WWW WG
> > Subject: Re: Redirection MUST NOTs
> >
> > On Tue, Nov 04, 2003 at 10:44:26PM +0100, Joris Dobbelsteen wrote:
> > > Still, I'm interested in a (practical) sitiation where one needs to
> > > redirect a non-GET/HEAD request?
> >
> > When the user agent trusts the server as it would a proxy, e.g.
> >
> > POST
> > http://auth1.example.org/proxy?uri=http://auth2.example.org/so
> > me-path/ HTTP/1.1
> > Host: auth1.example.org
> > ...
> >
> > There, the server is providing proxy-like capabilities, but
> > in gateway form.
> >
> > Mark.
> > --
> > Mark Baker.   Ottawa, Ontario, CANADA.        http://www.markbaker.ca
> >
>

Received on Wednesday, 5 November 2003 13:00:53 UTC