Hi Julius, > What if my server sent: > ------------------------------------------ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: USE-THE-HTML-FORM-IN-THE-CONTENT-OF-THIS-RESPONSE > ... > ------------------------------------------ > > I think the browsers all support this, but I need to test more! > > To me what I'm doing there seems completely legit with the RFC, > because nowhere does the RFC state what the valid challenges are, > aside from referring to (this.RFC++) (AKA: 2617) and its BASIC and > DIGEST. >
Again RFC 2616: 10.4.2 401 Unauthorized The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted Yes, you are free to define your own authentication schemes. But the way I read it, Authorization data MUST go into the Authorization header. You might get away with putting the same data in the header and the body, but surely not with pure form-based authentication. HTTP authentication happens on the HTTP layer, that is in the status line and headers. The body is for application data and authentication on the application layer. cheers, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
