Browser Side Access Authorization Description

The exact browser side Access Authorization procedures are described in the corresponding protection scheme specification:

During a browsing session the client side keeps track on the hosts, schemes, and the corresponding usernames and passwords. Because the browser keeps track of this authorization information, on subsequent requests to servers that it has contacted already during a particular browsing session, the browser can automatically send the authorization information

without first failing to access the document, and
without having to re-prompt for the username and password from the user.

How Does the Browser Know When to Send AA Info

The protected documents are to be collected to directories of protected documents. In those directories there should be only protected documents, all of which are protected by the same scheme. The browser can then use this assumption to make the decision about whether to send authorization information along with the request:

If the servers replies 401 (Unauthorized) for some file, every other file in that directory and in its subdirectories is considered protected by that same server (and shceme).

The 'directory' in this context means what seems to be a directory when examining a given URL.

AL 12 December 1993