FWD: Re: authentication cleanups

Chris Lilley, Computer Graphics Unit (lilley@v5.cgu.mcc.ac.uk)
Fri, 11 Nov 1994 20:50:24 GMT

This message originated out of private email between myself (Chris Lilley) and
Tony Sanders. We were talking about authentication realms, multiple servers,
stuff like that, particularly in relation to the handling of partial URLs.

Apparently he liked my last email and requested that I post it to the list. So,
as we are both agreed to that, here it is:

--------- included message ----------------

From: SMTP%"sanders@bsdi.com" 11-NOV-1994 17:27:02.71
To: lilley@v5.cgu.mcc.ac.uk (Chris Lilley, Computer Graphics Unit)
Subj: Re: authentication cleanups

You should post this to the list...

Chris Lilley, Computer Graphics Unit writes:

> Fine. Make it explicit that, in the case of a partial URL being returned, the
> browser must canonicalise it using the server name (which the clinet does
> know) and that the realm refers to that full URL with host alias and port
> number.
> So the password is explicitly stated (with an example in the spec) not to be
> presented to:
> - another machine using the same partial URL
> - the same server name on a different port number
> - a different alias for the same machine on the same port number.
> Re the last one, it is entirely possible that a server could support more than
> one virtual server on the same port. I believe this was discussed on the list
> previously. If there are different aliases this is probably for a reason.
> Comments?