combining authenticated and anonymous access

Hi,

over on the what wg list, the topic of how to implement a site that 
offers both authenticated and anonymous access is being discussed (see 
around 
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html>).

An interesting proposal is to continue returning content with status 
200, but to include the WWW-Authenticate header nevertheless. RFC2616 
currently is silent about this combination:

"14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401 
(Unauthorized) response messages. The field value consists of at least 
one challenge that indicates the authentication scheme(s) and parameters 
applicable to the Request-URI.

     WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge

The HTTP access authentication process is described in "HTTP 
Authentication: Basic and Digest Access Authentication" [43]. User 
agents are advised to take special care in parsing the WWW-Authenticate 
field value as it might contain more than one challenge, or if more than 
one WWW-Authenticate header field is provided, the contents of a 
challenge itself can contain a comma-separated list of authentication 
parameters." -- 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>

Has anybody tried this before?

BR, Julian

Received on Thursday, 27 November 2008 18:52:43 UTC