On 17 Sep 2009, at 07:58, Alexander Klimetschek wrote:
On Wed, Sep 16, 2009 at 22:36, Vidar Ramdal <[email protected]> wrote:
I think this is due to the way the browser handles HTTP
authentication. If I remember correctly:
When you request /a/b.html?sling:authRequestLogin, and gets a HTTP
login dialog, the browser stores the credentials for the path /a/b
(and all paths underneath it).
Thus, the browser will not send the credentials when you request
/a/c.html, since that path is not underneath /a/b.
However, if you request /a?sling:authRequestLogin first, auth headers
will be sent on subsequent requests to /a/b and /a/c.
Right, and this can be different from browser to browser. In my
experience, Firefox and IE are not that strict and will apply cached
credentials for the same realm on the entire domain (eg. my.app.com/),
so you shouldn't see this problem with them (but I am not sure, maybe
it is only the case in certain versions of them).
Safari and Chrome (ie. Webkit-based ones, although HTTP and Credential
handling is not part of the core Webkit code) are more strict and will
definitely apply them for a given resource and its "tree" below. They
will also only cache credentials that were entered manually, ie. any
XHR trick to pass in the credentials while avoiding the (ugly) browser
login dialog will fail there.
There is a further complication in this,
In some browsers Ajax calls dont behave in the same way as the main
browser. I think some of my co-workers have seen this with IE8, so its
probably safest to ensure that login happens at /
Ian
Regards,
Alex
--
Alexander Klimetschek
[email protected]
