Thomas Broyer wrote:
...
Julian is saying that if your page varies depending on the user being
authenticated and/or the client not being authenticated at all, you
(the origin server) should include a "Vary: Authorization".
This means that if a shared cache has cached the response to an
"unauthenticated request" and it receives an "authenticated request"
for the same URI, it must not use the cached page but must relay the
request back to the origin server.
This case is specifically not handled by RFC 2616 AFAICT.
...
It's certainly an area that should be clarified.
...
Actually, what's missing from HTTP is a way to ask you to authenticate
but allow anonymous authentication (others have proposed sending a
> ...
Could you define what "anonymous authentication" would mean precisely?
WWW-Authenticate response header-field with a 200 OK status; AFAICT
HTTP doesn't disallow it (well, the "MUST be included in 401 response
messages" is unclear to me: does it mean a 401 must have a
WWW-Authenticate or the WWW-Authenticate must *only* be with a 401, or
both?).
Only the former. The latter is currently undefined. The interesting
question is whether we can retroactively specify it for 200 responses
without breaking existing servers.
...
BR, Julian
