- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Sat, 04 Nov 2006 23:15:19 +0100
- To: ietf-http-wg@w3.org
- Message-Id: <1162678519.11880.260.camel@henriknordstrom.net>
lör 2006-11-04 klockan 12:44 -0800 skrev David Morris: > Yes, it takes an extra set of round trips as the server can't reject > the request out of hand. In terms of %age of total http network traffic, > it will be lost in the noise. Actually it doesn't even add an extra round trip as the client is supposed to handle the situation where it does not understand any of the challenges gracefully and inform the user that it's not capable to access the resource. Unfortunately many client implementations is broken and falls back on Basic under such conditions but that is another story entirely not related to HTTP/1.1 but simply implementation bugs. Regarding the specs they already say "Servers should only include Basic if it is minimally acceptable." and "The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands". and "Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used (without enhancements) to protect sensitive or valuable information." all quotes from RFC2617 btw. Regards Henrik
Received on Saturday, 4 November 2006 22:15:30 UTC