Re: authentication cleanups

Daniel W. Connolly ([email protected])
Wed, 09 Nov 1994 18:19:12 -0600


In message <[email protected]>, Tony Sanders writes:
>Perhaps servers should return a indication of what area is
>covered by the authentication. For example:
>
>Client:
> GET /protected/recipies/secret-sauce/ingredients HTML/1.0
> ...
>Server:
> 401 Unauthorized
> WWW-Authenticate: Basic realm="burgers_and_fries"
> WWW-Realm-Partial: /protected/recipies/, /protected/foods/
...
>Does this make sense?

In a way, yes. But truly anal security fiends would say that this is
divulging potentially sensitive information. They get nervous when you
tell folks the difference between "file not found" and "unauthorized".
It's kinda like having a unix loging program that goes:

login: fred
username OK... passwd: ****

login: fredd
username no good.

login:

As long as you're using the basic authentication scheme, you're certainly
not in the league of anal security fiends, and this may be OK.

Dan