all inline.
> -----Original Message-----
> From: Curt Smith [mailto:[EMAIL PROTECTED]]
> Sent: Lunes, 03 de Septiembre de 2001 9:31
> To: Orion-Interest
> Subject: RE: Additional invocations to the UserManager
>
>
> I bounced the client, deleted cache/cookies and still saw the
> auto-login
> behavior on every request to my UserManager without seeing the login
> dialogue
> the 2nd--Nth time. So how could the client be silently supplying the
> user/pass on every request??? Still looks like the container
> is calling
> UserManager with it's cached copy of user/passwd....
The browser chaches it. Read RFC 1945 (HTTP 1.0), section 11. Here are some
quotes:
<Section 11>
The domain over which credentials can be automatically applied by a
user agent is determined by the protection space. If a prior request
has been authorized, the same credentials may be reused for all other
requests within that protection space for a period of time determined
by the authentication scheme, parameters, and/or user preference.
Unless otherwise defined by the authentication scheme, a single
protection space cannot extend outside the scope of its server.
</Section 11>
So, with BASIC Auth, regardless if the server challenges the user
_everytime_ for its username
and password, given a realm, the browser sends its authentication. This goes
back to the time where the was no session support on web servers(it was 4 or
5 years ago, not THAT long). Instead of asking the user for its username and
password everytime, the browser caches a successful user/passwd pair and
resends them
(provided the challenge comes from the same 'realm'). This is 'legacy'
behavior of the browser. And the spec
accepts it.
>
> I could have run my client through a logging proxy to
> tattle-tail whether
> the container was issuing an HTTP challenge on every get/post or not??
Of course, check for WWW-Authenticate; if the server challenges every time,
then it should be a part of the response. This is, however, unlikely-- orion
must be reading the headers, and reauthenticating the user every
time, regardless of challenges.
>
> Given that I bounced my client and deleted cookies/cache I'm still
> mystified about HTTP challenge issues??? Regardless I've moved on to
> FORM authentication and folks on this list find value in the
> current HTTP
> challenge behavior for their development cycle not pestering them for
> re-login.... :-/
Yap, and that's the main use I given to BASIC, it speeds up the devel cycle,
no matter how many times you restart the server.
>
> curt
>
>
> >Nope. This is browser, not orion behavior. It complies to
> the HTTP specs.
>
> >>>
> >
> > I saw this too and went to FORM authentication and don't see this
> > anymore.
> >
> > I still use UserManager to receive the user/passwd from the FORM
> > via the Container, but I don't see the UserManager calls on every
> > request.
> >
> > Based on this, I feel it's a bug in orion that BASIC behaves this
> > way.
> >
> > curt
> >
>
>
