incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject redirection on authentification
Date Tue, 07 Dec 2010 10:19:07 GMT
Hi all,

I'm experimenting problem with the current method used when
authentification fail. If you pass worng authentificatino headre you
are redirected to an html page asking for credention. So technically
we do :

401 -> 302 -> 200

Which is wrong if we follow the spec. "The response MUST include a
WWW-Authenticate header field [..] [1] . It also introduce some bugs,
try for example to create a database when not logged.

The reason we use a 302 actually is for couchapps. I think we should
change that behavior:

1. Provide appropriate HTTP response by default
2. Use the tricks of cookie auth (specific header) to let the
CouchApps access to CouchDB. Something like "X-Auth-..." headre in the
request that notify us we need to  send a response that will not
raises the dialog box in browsers.

Thoughts ?

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2


- benoƮt

Mime
View raw message