Scott Lawrence wrote:

3) What is the role of the 403 response, exactly? If I read the RFC correctly it implies that the credentials should be cleared and new ones should be provided .. ? But, "in the real world", the 403 response is used to indicate many other things, so I cannot always have the user re-enter the credentials when I receive a 403. When should I do this?



403 doesn't mean authentication failed - it means "I believe that you are who you say you are, but you're not allowed to do what you want to do". It's an access control failure, not an authentication failure.


OK, I can see that .. and I agree, this interpretation makes the most sense.. however, I notice some UASes use 403 at the end of an authentication chain thusly:


A --> B  (REGISTER)
A <-- B  (401)
A --> B (REGISTER, with credentials)
A <-- B (403)

The 403 is sent when the credentials are incorrect with some implementations.

Is it just me, or are a lot of authentication implementations just plain broken?

--
David Stuart, SIPquest
Email: dave (at) sipquest (dot) com
Phone: 254-8886 x234  Web: http://www.sipquest.com/
Address: 106 - 350 Terry Fox Drive, Kanata Ontario, K2K 2P5



_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to