- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Thu, 23 Aug 2007 00:27:11 +0200
- To: Hugo Haas <hugo@yahoo-inc.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Stefan Eissing <stefan.eissing@greenbytes.de>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
On fre, 2007-08-17 at 09:48 -0700, Hugo Haas wrote: > As you mention, the debate seems to gravitate around whether it's OK to return > a 401 with "WWW-Authenticate: Foo", Foo being a scheme which does not use the > Authorization header to pass credentials (it's not clear to me from reading > the specs as I mentioned in my original email). While it's technically OK (it's a valid 401) I would certainly not recommend inventing such authentication methods (I would not call them schemes in this context) which do not make use of the Authorization header. The HTTP protocol is sensitive to if a request carries Authorization, and object freshness and cachability is changed considerably for responses to such requests. Authentication methods not using the provided framework need to account for those aspects themselves by adding suitable Cache-Control headers (i.e. "Cache-Control: private"). Regards Henrik
Received on Wednesday, 22 August 2007 22:27:26 UTC