[tbnl-devel] Authorized pages
Edi Weitz
edi at agharta.de
Tue Aug 10 15:51:04 UTC 2004
On 10 Aug 2004 17:29:28 +0200, d95-bli at nada.kth.se (Björn Lindberg) wrote:
> I see. the reason I thought it was handled by HTTP was because, as
> you imply, the window requesting username and password usually only
> pops up once. If there nowhere in the chain was any caching of the
> two, or 'state', then the access window would pop up for each and
> every access restricted page.
>
> Now you've led me to believe that it is actually the client's
> browser that is storing the authentification information and
> resending it upon request from the server. Is this right? (Sorry for
> bothering you with this elementia.)
Yes, it's the browser which (re-)sends the credentials
automatically. Actually, it should try each request without
credentials first because the server doesn't provide any information
as to which other pages need authorization (and even if the same page
will still require authorization tomorrow or in ten seconds).
However, that would involve two requests per each page and the browser
would get very many 401 replies. Therefore, all current browser will
volunteer to send credentials based on certain heuristics (like if
it's the same server and the same directory or somesuch).
Cheers,
Edi.
More information about the Tbnl-devel
mailing list