Re: authentication cleanups

John Franks (john@math.nwu.edu)
Fri, 11 Nov 1994 02:39:01 +0100

In article <Pine.BSI.3.91.941109173734.25927R-100000@get.wired.com>, you write:
>
> Right now browsers (we're hoping!) resend names
> and passwords for every access to the same machine and port.

Is this true? I have always assumed that browsers resend names and
passwords for every access to the same machine and port AND REALM.
Surely, I can have more than one realm on one server. If not there
is no point to realm.

>
> On Thu, 10 Nov 1994, Tony Sanders wrote:
> > Perhaps servers should return a indication of what area is
> > covered by the authentication. For example:
> >
> > Client:
> > GET /protected/recipies/secret-sauce/ingredients HTML/1.0
> > ...
> > Server:
> > 401 Unauthorized
> > WWW-Authenticate: Basic realm="burgers_and_fries"
> > WWW-Realm-Partial: /protected/recipies/, /protected/foods/
> > ...
> > Client:
> > GET /protected/recipies/secret-sauce/ingredients HTML/1.0
> > Authorization: Basic mickeyd:passwd
> > ...
> >
> > And now the client knows that it is ok to send the username/password on
> > an access to /protected/recipies/fries or /protected/foods/fries but that
> > should the user select something in /protected/payroll/* then it would
> > *not* send the users password to that area because they would probably
> > generate a security warning being issued.
> >
> > Does this make sense?
> >

Presumably the way it works now is that the browser tries
/protected/foods/, gets a 401 with the same realm as .../ingredients
and automatically resends the request with authorization, so the user
doesn't have to re-enter the password. (The docs are clear that any
authorizations using the same password file should have the same
realm. "burgers_and_fries" is a poor name choice for a realm
including foods and recipes -- I don't know if it was intended to be
significant or not).

So the bottom line is that this change would be invisible to the user
and would eliminate one transaction in some circumstances, at the expense
of added code in the browsers. I wouldn't see this as a real high priority.

On the other hand the issue raised by Brian of cross-machine realms seems
very important and should get priority. I don't see a need for
WWW-Realm-Partial though. Why not just add it to the realm. Something
like:

WWW-Authenticate: Basic realm="foods, hotwired1.com:bakery, hotwired3.com:meat"

This would allow a single virtual site to consist of several machines.

-- 

John Franks Dept of Math. Northwestern University john@math.nwu.edu