[whatwg] Solving the login/logout problem in HTML

On Thu, Nov 27, 2008 at 1:41 PM, Julian Reschke wrote:
> Thomas Broyer wrote:
>> ...
>> Actually, what's missing from HTTP is a way to ask you to authenticate
>> but allow anonymous authentication (others have proposed sending a
>> ...
> Could you define what "anonymous authentication" would mean precisely?

I don't really mind, as long as the server is able to say "I give you
this thing to you anonymous user, but you can also authenticate (e.g.
to be proposed more features)". This is the exact use-case many web
site (including most if not all e-commerce web sites) are facing, and
it'd be cool that it could be dealt with at the HTTP level.

>> WWW-Authenticate response header-field with a 200 OK status; AFAICT
>> HTTP doesn't disallow it (well, the "MUST be included in 401 response
>> messages" is unclear to me: does it mean a 401 must have a
>> WWW-Authenticate or the WWW-Authenticate must *only* be with a 401, or
>> both?).
> Only the former. The latter is currently undefined.

Thanks for the clarification.

> The interesting question is whether we can retroactively specify it for 200
> responses without breaking existing servers.

...and clients (and intermediaries, but you might have included them
in "servers")

Thomas Broyer

Received on Thursday, 27 November 2008 08:17:26 UTC