HTTP 401 - 什么是合适的 WWW-Authenticate 标头值? [英] HTTP 401 - what's an appropriate WWW-Authenticate header value?
问题描述
我目前正在处理的应用程序有一个会话超时值.如果用户没有交互的时间超过此值,他们尝试加载的下一页将提示他们登录.
The application I'm working on at the moment has a session timeout value. If the user hasn't interacted for longer than this value, the next page they try to load, they will be prompted to log in.
发出的所有请求都通过此机制进行路由,其中包括 AJAX 调用.最初我们在登录页面中发送 200 标头,这引入了 AJAX 的一些问题,因为如果发送 200 响应,代码就会运行,并且从这些 RPC 调用发回的大多数数据是 JSON 或被评估的原始 JavaScript(不要问:|).
All requests made are routed through this mechanism, which includes AJAX calls. Originally we were sending a 200 header with the login page, which introduces some problems with AJAX since code is run if a 200 response is sent, and most data sent back from these RPC calls is JSON or raw JavaScript that gets evaluated (don't ask :|).
我建议 401 更好,因为我们的 JSON 解析器不会尝试使用 HTML 登录页面.. :)
I've suggested that a 401 is better, since our JSON parser won't try to consume an HTML login page.. :)
然而,当阅读规范时,我注意到 WWW-Authenticate 字段也必须发送.
When reading the spec, however, I noticed that the WWW-Authenticate field must also be sent.
这个字段有什么好的价值?应用程序登录就足够了吗?
What is a good value for this field? Will Application Login suffice?
推荐答案
当指示 HTTP 基本身份验证时,我们返回如下内容:
When indicating HTTP Basic Authentication we return something like:
WWW-Authenticate: Basic realm="myRealm"
而 Basic 是方案,其余部分在很大程度上取决于该方案.在这种情况下,领域只是为浏览器提供了一个文字,当提示输入用户 ID 和密码时可以向用户显示.
Whereas Basic is the scheme and the remainder is very much dependent on that scheme. In this case realm just provides the browser a literal that can be displayed to the user when prompting for the user id and password.
但是,您显然没有使用 Basic,因为使用 Basic Auth 时会话到期没有意义.我假设您正在使用某种形式的基于表单的身份验证.
You're obviously not using Basic however since there is no point having session expiry when Basic Auth is used. I assume you're using some form of Forms based authentication.
回想起来,Windows Challenge Response 使用了不同的方案和不同的参数.
From recollection, Windows Challenge Response uses a different scheme and different arguments.
诀窍在于由浏览器决定它支持哪些方案以及如何响应它们.
The trick is that it's up to the browser to determine what schemes it supports and how it responds to them.
如果您使用基于表单的身份验证,我的直觉是保留 200 + 重新登录页面,但添加浏览器将忽略但您的 AJAX 可以识别的自定义标题.
My gut feel if you are using forms based authentication is to stay with the 200 + relogin page but add a custom header that the browser will ignore but your AJAX can identify.
为了获得真正良好的用户 + AJAX 体验,让脚本挂起发现会话已过期的 AJAX 请求,通过弹出窗口触发重新登录请求,成功后,重新提交原始 AJAX 请求并继续正常.
For a really good User + AJAX experience, get the script to hang on to the AJAX request that found the session expired, fire off a relogin request via a popup, and on success, resubmit the original AJAX request and carry on as normal.
避免只是让脚本每 5 分钟访问一次站点以保持会话活动的作弊,因为这只会破坏会话到期点.
Avoid the cheat that just gets the script to hit the site every 5 mins to keep the session alive cause that just defeats the point of session expiry.
另一种选择是刻录 AJAX 请求,但这样的用户体验很差.
The other alternative is burn the AJAX request but that's a poor user experience.
这篇关于HTTP 401 - 什么是合适的 WWW-Authenticate 标头值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
