- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 26 Nov 2008 11:58:58 +0000 (UTC)
On Wed, 26 Nov 2008, Thomas Broyer wrote: > > I came to the same conclusion and already implemented it (with a custom > application-specific scheme) in an Enterprise app (the custom scheme > accepts both HTML form, i.e. cookie, and an Authorization request-header > ?we're using it for XMLHttpRequests to "bypass" any cookie and > therefore allow more than one "user session" in the same "browser > session"). Cool! > > challenge = "HTML" [ form ] > > form = "form" "=" form-name > > form-name = quoted-string > > RFC2617 states that "The realm directive (case-insensitive) is required > for all authentication schemes that issue a challenge." I didn't really understand how the realm would work here, which is why I didn't include it. Is this a case where we should violate RFC2617? (Note that we're in a rather unusual case here because the challenge never gets a reply in the traditional sense.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 03:58:58 UTC