- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 17 Aug 2007 12:34:14 +0200
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- CC: Mark Nottingham <mnot@mnot.net>, Hugo Haas <hugo@yahoo-inc.com>, ietf-http-wg@w3.org
Stefan Eissing wrote: > > Am 17.08.2007 um 11:30 schrieb Julian Reschke: >> - force servers not to return a 401 at all. >> >> I think the latter would be bad: in this case I'd prefer a 401 over a >> 400 or (gasp!) a 200. > > Well, sending WWW-Authenticate along with 401 is a MUST. So, how would a > server send a 401 *without* > complying to the basic framework Mark is talking about? In theory it could invent an auth scheme name (and then not support it). For a client that would be indistinguishable from a real scheme that it happens not to support. I just want to make sure that we don't end up promoting serving HTML login forms with 200, because 401 isn't allowed. Maybe the language for 401 could be enhanced to state that if a server does require some kind of authentication, but does not support HTTP auth, 403 SHOULD be used? Best regards, Julian
Received on Friday, 17 August 2007 10:34:32 UTC