authentication cleanups

Tony Sanders (sanders@earth.com)
Thu, 10 Nov 1994 00:56:44 +0100

Perhaps servers should return a indication of what area is
covered by the authentication. For example:

Client:
GET /protected/recipies/secret-sauce/ingredients HTML/1.0
...
Server:
401 Unauthorized
WWW-Authenticate: Basic realm="burgers_and_fries"
WWW-Realm-Partial: /protected/recipies/, /protected/foods/
...
Client:
GET /protected/recipies/secret-sauce/ingredients HTML/1.0
Authorization: Basic mickeyd:passwd
...

And now the client knows that it is ok to send the username/password on
an access to /protected/recipies/fries or /protected/foods/fries but that
should the user select something in /protected/payroll/* then it would
*not* send the users password to that area because they would probably
generate a security warning being issued.

Does this make sense?