[whatwg] Solving the login/logout problem in HTML
julian.reschke at gmx.de
Thu Nov 27 04:41:34 PST 2008
Thomas Broyer wrote:
> Julian is saying that if your page varies depending on the user being
> authenticated and/or the client not being authenticated at all, you
> (the origin server) should include a "Vary: Authorization".
> This means that if a shared cache has cached the response to an
> "unauthenticated request" and it receives an "authenticated request"
> for the same URI, it must not use the cached page but must relay the
> request back to the origin server.
> This case is specifically not handled by RFC 2616 AFAICT.
It's certainly an area that should be clarified.
> Actually, what's missing from HTTP is a way to ask you to authenticate
> but allow anonymous authentication (others have proposed sending a
Could you define what "anonymous authentication" would mean precisely?
> WWW-Authenticate response header-field with a 200 OK status; AFAICT
> HTTP doesn't disallow it (well, the "MUST be included in 401 response
> messages" is unclear to me: does it mean a 401 must have a
> WWW-Authenticate or the WWW-Authenticate must *only* be with a 401, or
Only the former. The latter is currently undefined. The interesting
question is whether we can retroactively specify it for 200 responses
without breaking existing servers.
More information about the whatwg