http 401 Unauthorized handling

Jan Rygh TFU ([email protected])
Fri, 18 Aug 1995 10:23:20 +0200


Hi,

I run a Web server with protected areas, and I want to guide
the users on what to do when they get a "401 Unauthorized"
message. I can control the feedback to the user, but I found
that the browsers handled the "401 Unauthorized" message quite
differently.

Almost all browsers give a promt for username/password when
a "401 Unauthorized" message is received. If you give the
right username/password combination you access the document you
wanted to see. If not, you must "Cancel" the attempt of accessing
the protected document. On "Cancel", some browsers show the document
you came from, others show an "401 Unauthorized" document from the
server (Mosaic has a bug when parsing this document).

Actually there should be three choices on the authorization promt:

1. "OK", Authorization succeds.
2. "Cancel", user doesn't want to access protected area.
3. "Fail", user wants to enter protected area, but he fails to do so.

The "OK" option returns the protected document,
the "Cancel" option should do nothing and just keep the current document,
the "Fail" option should return a document explaining why the document
is protected and eventually what to do to get authorized access.