[4265] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Koen Holtman)
Thu Feb 6 14:12:44 1997
From: koen@win.tue.nl (Koen Holtman)
To: kdyer@draper.com
Date: Thu, 6 Feb 1997 18:16:16 +0100 (MET)
Cc: www-security@ns2.rutgers.edu, www-talk@w3.org
In-Reply-To: <970204142706.ZM3395@aries1.draper.com> from "Kevin J. Dyer" at Feb 4, 97 02:27:06 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Kevin J. Dyer:
[...]
>This thread about allowing users to change their passwords via CGI/ Applets
>can go on forever. I would like to hear from the community about the
>possiblity
>of expanding the 4xx codes in HTTP/1.1 to include the following:
>
> 416 Re-Validation requested
>
> The username was accepted but the password was challenged again or
> the sysadmin expired the password, etc.
>
> The user agent would display a pop-up requesting two fields.
Do you have in mind that this code should clear the password cache of the
user agent, effectively ending the auhenticated session so that the user can
walk away from the (public) web browser? A code for that would be useful.
If you just want to make the password requestor pop up, sending a 401 will
do that on most user agents. But if the user presses cancel on the pop-up,
most user agents will keep on sending the old password.
Koen.
