On Tue, Oct 11, 2022 at 12:29:40PM +0000, Scott Hollenbeck wrote: >>>> What should a logged-in end user see when they submit a standard >>>> RDAP query, but their session has expired? >>> >>> [SAH] The query should be processed as if no >>> identification/authentication information is available. The >>> response should be whatever is appropriate based on processing the >>> query under those circumstances. >> >> I think it would be better if the user got some sort of error >> response in this instance, possibly 401. If the server is >> configured e.g. to include additional entity information in an >> authenticated response, but nothing else distinguishes the response >> from one that's unauthenticated, then a client with an expired >> session might not realise that they are getting unauthenticated >> responses. (The client could look at the expiration time in the >> session data structure to determine when to refresh/reauthenticate, >> but there's no guarantee that the session will not be evicted or >> similar prior to that time.) > > [SAH] After thinking about this a bit more, I think you're right. A > difference between submitting a query after a session has expired > and submitting a query in the absence of an authenticated session > would be that the former would be accompanied by a session cookie > and the latter would not, correct?
Yep, that's my understanding of it. > If so, I agree. The RDAP server will be able to associate the first > query with an expired session, it will know that the second isn't > associated with a session, and it can provide an appropriate error > for either situation. Thanks, sounds good. -Tom _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
