On 4/20/05, Chris Withers <[EMAIL PROTECTED]> wrote:
> Lennart Regebro wrote:
> >>Supposedly you would not be able to access that part of the site until
> >>you authenticate against it. Isn't that the case now?
> >
> > Assuming it requires authentication, yes.
> And if it doesn't require authentication?

It would fail, since you supplied incorrect authentication. That's
pretty counter-intuitive. You are logged in, and click on a part of
the site where you should not need authentication, and you get
authentication errors. ;)

> Also, what determines whether it requires authentication? authorisation
> requirements or something else?

If it's accessible by anonymous that is the same as not requiring authorization.

> > The main problem here is that Internet Explorer doesn't allow you to
> > log out, for example.
> I thought returning enough 401's usually prompts any browser to drop its
> basic auth?

Nope, not IE. Yes, that is non-standard. But they do that so that if
you click on something that you can NOT access, you can continue
surfing without having to log in again. Which actually is pretty
reasonable in a way.

> > So, in principal, invalid credentials should raise an error, but in
> > practice, you can't do that if you use Simple HTTP authentication.
> Why not? Surely they should just get a 403 response?

403 Forbidden: The server understood the request, but is refusing to
fulfill it. Authorization will not help and the request SHOULD NOT be
repeated. If the request method was not HEAD and the server wishes to
make public why the request has not been fulfilled, it SHOULD describe
the reason for the refusal in the entity. If the server does not wish
to make this information available to the client, the status code 404
(Not Found) can be used instead.

I fail to see how this is a reasonable resonse when you request a page
that is public just because your credentials are invalid in that
location. It's a bit like refusing people into a public park because
they have a security badge on their shirt. ;)

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/
Zope-Coders mailing list

Reply via email to