- From: Calogero Alex Baldacchino <alex.baldacchino@email.it>
- Date: Wed, 26 Nov 2008 23:42:33 +0100
artin Atkins ha scritto: > Asbj?rn Ulsberg wrote: >> >> [Request 1] >> >> GET /administration/ HTTP/1.1 >> >> >> [Response 1] >> >> HTTP/1.1 401 Unauthorized >> WWW-Authenticate: HTML realm="Administration" >> >> <!DOCTYPE html> >> <html> >> .... >> <form action="/login"> >> <input name="username"> >> <input type="password" name="password"> >> <input type="submit"> >> </form> >> </html> >> >> >> [Request 2] >> >> POST /login HTTP/1.1 >> >> username=admin&password=secret >> >> >> [Response 2] >> >> HTTP/1.1 302 Found >> Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration" >> Location: /administration/ >> >> >> [Request 3] >> >> GET /administration/ HTTP/1.1 >> Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration" >> >> [Response 3] >> >> HTTP/1.1 200 OK >> >> <!DOCTYPE html> >> <html> >> ... >> <h1>Welcome!</h1> >> </html> >> >> The twist here is that it is up to the server to provide the authentication token and through the 'Authorization' header, give the client a way to authorize future requests. > > Your auth token here seems to me to be equivalent to a session cookie. > > If you change the "Authorization" header in Response 2 to "Set-Cookie" (and make some syntactic adjustments) then this doesn't require any changes to how deployed apps handle sessions today. > > Perhaps that token was meant as a cross-session one, surviving untill an explicit logout -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Innammorarsi ? facile con Meetic, milioni di single si sono iscritti, si sono conosciuti e hanno riscoperto l'amore. Tutto con Meetic, prova anche tu! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8292&d=26-11
Received on Wednesday, 26 November 2008 14:42:33 UTC