- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 25 Jul 2011 19:37:03 +1200
- To: Willy Tarreau <w@1wt.eu>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 25/07/2011 4:40 p.m., Willy Tarreau wrote: > On Mon, Jul 25, 2011 at 01:29:30PM +1200, Adrien de Croy wrote: >>>>> 1) Clarify that WWW-Authenticate can appear on any response, and that >>>>> when it appears on any other than a 401, it means that the client can >>>>> optionally present the request again with a credential. >>>> Does this mean it's only for other 4xx or for any status ? It might have >>>> implications with non-idempotent requests if a client can repost a request >>>> that led to a 200 for instance. >>> Any status. Good point about non-idempotent requests; we'll need to make >>> clear it's not about automatically retrying requests, but instead that >>> sending the same request with credentials might have a different affect. >> isn't this redundant? >> >> I see requests with credentials all the time, when no previous >> WWW-Authorize had been sent in any response. > Normally they're doing this when they have seen once a 401 with > WWW-Authenticate. Here the idea is that the server might present > the header on something different from the 401 (eg: here is your > data, but if you authenticate I could probably serve something > more specific to you). actually we mostly see it when the client agent is a script, downstream proxy, tunneling (non-http) client or other non-browser. They send the header from request #1. Of course this ignores the issue about whether the method chosen is supported / advertised. Normally it's Basic as well. Adrien > > Regards, > Willy > > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Monday, 25 July 2011 07:37:43 UTC