authentication cleanups

Tony Sanders ([email protected])
Wed, 09 Nov 1994 17:45:56 -0600


Perhaps servers should return a indication of what area is
covered by the authentication. For example:

Client:
GET /protected/recipies/secret-sauce/ingredients HTML/1.0
...
Server:
401 Unauthorized
WWW-Authenticate: Basic realm="burgers_and_fries"
WWW-Realm-Partial: /protected/recipies/, /protected/foods/
...
Client:
GET /protected/recipies/secret-sauce/ingredients HTML/1.0
Authorization: Basic mickeyd:passwd
...

And now the client knows that it is ok to send the username/password on
an access to /protected/recipies/fries or /protected/foods/fries but that
should the user select something in /protected/payroll/* then it would
*not* send the users password to that area because they would probably
generate a security warning being issued.

Does this make sense?