It's still worth investigating IMO. One could argue that returning to
an unauthorized client even the info that a resource has not changed
since an authenticated request was returned successfully violates the authentication protection.
that's pretty much what *i* thought, anyway...
This may have more to do with the server's authentication requirements than the HTTP spec. Does anyone know if the Servlet spec
addresses this?
from the 2.4 Servlet spec:
If the user is authenticated using form login and has created an HTTP
session, the timeout or invalidation of that session leads to the user being logged out in the sense that subsequent requests must
cause the user to be re-authenticated.
seems fairly straightforward to me.
i agree that the HTTP spec is less than optimally clear, and that this isn't a huge issue - it's just that it excercises a MSIE6 misfeature that html pages are cached, but included .js & .css files are not, resulting in the display of ugly & broken pages when this happens.
--alex.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
