- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 27 Nov 2008 13:41:34 +0100
Thomas Broyer wrote: > ... > Julian is saying that if your page varies depending on the user being > authenticated and/or the client not being authenticated at all, you > (the origin server) should include a "Vary: Authorization". > This means that if a shared cache has cached the response to an > "unauthenticated request" and it receives an "authenticated request" > for the same URI, it must not use the cached page but must relay the > request back to the origin server. > > This case is specifically not handled by RFC 2616 AFAICT. > ... It's certainly an area that should be clarified. > ... > Actually, what's missing from HTTP is a way to ask you to authenticate > but allow anonymous authentication (others have proposed sending a > ... Could you define what "anonymous authentication" would mean precisely? > WWW-Authenticate response header-field with a 200 OK status; AFAICT > HTTP doesn't disallow it (well, the "MUST be included in 401 response > messages" is unclear to me: does it mean a 401 must have a > WWW-Authenticate or the WWW-Authenticate must *only* be with a 401, or > both?). Only the former. The latter is currently undefined. The interesting question is whether we can retroactively specify it for 200 responses without breaking existing servers. > ... BR, Julian
Received on Thursday, 27 November 2008 04:41:34 UTC