- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 29 Oct 2005 10:22:57 +0200
- To: Lisa Dusseault <lisa@osafoundation.org>
- CC: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>, webdav <w3c-dist-auth@w3.org>
Lisa Dusseault wrote: > No it's not just for LOCK and PUT -- a client doing read-only requests > (like PROPFIND) might see different results depending on whether or not > they're authenticated. Some of the resources in a collection might be > publicly readable (so the PROPFIND can succeed if anonymous) but others > be hidden to unauthenticated users. But you could still use LOCK to enforce authentication, right? > More generally, it's not actually a WebDAV problem alone. If a client > does a GET to a dynamically generated page, they could easily see > different results based on whether they're authenticated or not. Since > browsers today often cache authentication information, this means that > the browser could inform the server that they'd like the challenge to > save the user the step of first going to the site, seeing the anonymous > page version, then choosing to login. Of course some sites use cookies > for this but cookies are sometimes disabled, expired, etc. In which case I would recommend to - update Jim's description of the problem accordingly and - do this in a separate draft, optimally discussed on the HTTP WG's mailing list. Best regards, Julian
Received on Saturday, 29 October 2005 08:23:22 UTC