[whatwg] Solving the login/logout problem in HTML

Thomas Broyer wrote:
> ...
> Julian is saying that if your page varies depending on the user being
> authenticated and/or the client not being authenticated at all, you
> (the origin server) should include a "Vary: Authorization".
> This means that if a shared cache has cached the response to an
> "unauthenticated request" and it receives an "authenticated request"
> for the same URI, it must not use the cached page but must relay the
> request back to the origin server.
> 
> This case is specifically not handled by RFC 2616 AFAICT.
> ...

It's certainly an area that should be clarified.

> ...
> Actually, what's missing from HTTP is a way to ask you to authenticate
> but allow anonymous authentication (others have proposed sending a
 > ...

Could you define what "anonymous authentication" would mean precisely?

> WWW-Authenticate response header-field with a 200 OK status; AFAICT
> HTTP doesn't disallow it (well, the "MUST be included in 401 response
> messages" is unclear to me: does it mean a 401 must have a
> WWW-Authenticate or the WWW-Authenticate must *only* be with a 401, or
> both?).

Only the former. The latter is currently undefined. The interesting 
question is whether we can retroactively specify it for 200 responses 
without breaking existing servers.

> ...

BR, Julian

Received on Thursday, 27 November 2008 04:41:34 UTC