ticket #78 (Relationship between 401, Authorization and WWW-Authenticate)

Hi,

I just checked the history of this bug, following several threads, and 
it appears this is really a *set* of issues...


1. Relation between status code 401 and WWW-Authenticate

401 responses MUST include a WWW-Authenticate, but the opposite is not true.

Should we state more clearly in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-11.html#header.www-authenticate> 
what this field means on a 2xx response? Any response?


2. Relation between WWW-Authenticate and Authorization fields?

Does every authentication scheme need to specify the credentials in 
"Authorization"? 
<http://tools.ietf.org/html/draft-broyer-http-cookie-auth-00> doesn't, 
and this doesn't seem to be a problem in practice (as long as 
cacheability is properly addressed)


3. Should we specify how to handle a 401/WWW-Authenticate that does not 
contain any known schemes?

It appears all browsers nowadays display the message payload, which 
clearly is the right thing to do if we ever want to deploy new schemes.

Given the fact that implementations do the right thing, do we need to 
say more?


Best regards, Julian

Received on Wednesday, 15 September 2010 16:26:45 UTC