- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 25 Jul 2011 13:29:30 +1200
- To: Mark Nottingham <mnot@mnot.net>
- CC: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
On 25/07/2011 6:31 a.m., Mark Nottingham wrote: > On 24/07/2011, at 2:11 PM, Willy Tarreau wrote: > >> On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote: >>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78> >>> >>> Proposal: >>> >>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential. >> Does this mean it's only for other 4xx or for any status ? It might have >> implications with non-idempotent requests if a client can repost a request >> that led to a 200 for instance. > Any status. Good point about non-idempotent requests; we'll need to make clear it's not about automatically retrying requests, but instead that sending the same request with credentials might have a different affect. isn't this redundant? I see requests with credentials all the time, when no previous WWW-Authorize had been sent in any response. So clients are already taking any liberties they like to send credentials when they please. I don't know that it adds anything to HTTP to explicitly tell them they may do this in protocol. They are doing it anyway. Otherwise are we going to prohibit the sending of creds when no WWW-Authorize had been sent? Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Monday, 25 July 2011 01:30:03 UTC