Re: CNAMES and HTTP Authentication

"Marc Salomon" <marc@ckm.ucsf.edu> wrote:
  > [What happens if two DNS CNAMEs resolve to the same IP address?...]
  >
  > The user fires up the application by pointing their browser to
  > www.foo.edu:/apps/thing, authenticates and is granted authorization to proceed.
  >  An embedded link somewhere in the application points to
  > bar.foo.edu:/apps/thing.
  > 
  > When the user dereferences this link, should the browser prompt to authenticate
  > again, or should the it create an equivalence class for this IP address
  > containing of the CNAMES of which the browser is aware and send the
  > authentication data to the server?
  > 
  > In HTTP/1.0?
  > 
  > In HTTP/1.1 where the mandatory Host header forces disambiguity?

With HTTP/1.1 the two CNAMEs most certainly must be treated
separately.  If pepsi.com and coke.com resolve to the same IP address
(yes, unlikely), you wouldn't want the same authentication to work for
coke.com/secret-formula and pepsi.com/secret-formula.

IMO, HTTP/1.0 should work the same way, by name, not by IP address.

In general, note that the client may not even be able to resolve the IP
address, relying instead on a proxy to complete a connection.

Dave Kristol

Received on Thursday, 24 October 1996 17:17:27 UTC