On 10 Aug 2004 17:29:28 +0200, d95-bli@nada.kth.se (Björn Lindberg) wrote:
I see. the reason I thought it was handled by HTTP was because, as you imply, the window requesting username and password usually only pops up once. If there nowhere in the chain was any caching of the two, or 'state', then the access window would pop up for each and every access restricted page.
Now you've led me to believe that it is actually the client's browser that is storing the authentification information and resending it upon request from the server. Is this right? (Sorry for bothering you with this elementia.)
Yes, it's the browser which (re-)sends the credentials automatically. Actually, it should try each request without credentials first because the server doesn't provide any information as to which other pages need authorization (and even if the same page will still require authorization tomorrow or in ten seconds).
However, that would involve two requests per each page and the browser would get very many 401 replies. Therefore, all current browser will volunteer to send credentials based on certain heuristics (like if it's the same server and the same directory or somesuch).
Cheers, Edi.