Re: Authentication

From: Egon Andersen <ean talura dk>
To: libsoup-list gnome org
Subject: Re: Authentication
Date: Mon, 10 Jan 2011 20:06:48 +0100

Dan Winship wrote:

On 01/07/2011 12:40 PM, Egon Andersen wrote:

I'm doing authentication in my libsoup based server.
When authentication fails, the server responds with status-code 401
Unauthorized.
That will cause the browser to open the login dialog box.
This is quite annoying in cases where I e.g. use XMLHttpRequest()


Hm... what browser? There was some discussion of using exactly this
trick on the IETF HTTP mailing list a while back, and it seems to work
in most places:

http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0190.html

(If you're using WebKitGTK, you'll need libsoup >= 2.32.1.)

Yes, it is pretty much that I'm implementing. The problem arises withlibsoup, when I use a timeout mechanism for the logout.I had the auth_callback report false, when the connection had not beenused for a specified amount of time - say 15 minutes.

If the browser, previously logged in, did an XMLHTTPRequest after thattime, the server sends 401 and the browser opens the login dialogue.

I believe I see that in Mozilla Firefox, Google Chrome and Apple Safari.

I've made a change in the server that makes the test as a two stepprocess. First authentication using auth_callback and then if thecredentials are valid, a kind of authorization step, which checks fortimeout and send a 403 response, if logged out due to timeout.

Are there any way I can change the status-code to 403, without having to
make my complete own authentication mechanism (which I would of course
like to avoid)?


Not really. You could connect to notify::status-code on the message, and
if someone changes it to 401, re-change it to 403. There's no way to
make SoupAuthDomain/SoupServer use 403 instead of 401 though, because
that pretty much totally violates the spec.

Well, not really violating the specs. Couldn't find it in HTTP/1.1, butin the HTTP/1.0 specs chapter 11 it says:

<cite>

If the server does not wish to accept the credentials sent with arequest, it should return 403 (forbidden) response

</cite>
So I don't see that is should be a violation of the specs :-)

By the way, my changed mechanism is working fine with Mozilla Firefox,Google Chrome and Apple Safari.


Best regards
Egon Andersen

References:
- Authentication
  - From: Egon Andersen
- Re: Authentication
  - From: Dan Winship

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]