- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 25 Nov 2008 20:57:06 +0000 (UTC)
On Tue, 25 Nov 2008, Tab Atkins Jr. wrote: > > This bit confused the hell out of me. Like Martin Atkins (no > relation... probably) suggested, whenever someone's auth is bad for > whatever reason I redirect them to the login page, possibly with an > error message explaining what went wrong. You can still do that. You also have the opportunity to use a 401 on the login page itself. > I would never have imagined trying to solve this problem at the level > you're suggesting, nor do I think it is particularly necessary, since > every server side language can do a redirect by themselves. It may be that few enough people want to use the HTTP mechanisms for this that the feature will need to be removed when the spec progresses to the next level. On Tue, 25 Nov 2008, Julian Reschke wrote: > > thanks a lot for this proposal which seems to go into the right > direction. > > I didn't yet have time to look into this in detail, but it currently > seems to require the UA to still parse the HTML page. Wouldn't it be > better of the *headers* of the response (such as WW-Authenticate, Link, > ...) would contain sufficient information to perform the login without > having to do that; such as a URI to POST to, plus the parameter names > for user name and password? The problem is that you'd basically have to duplicate the entire form, since login forms can be arbitrarily complex. If the bot has the username and password, why not also give it the username field name, password field name, and login script url? Just consider them part of the credentials. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 November 2008 12:57:06 UTC