HTTP 401 - 什么是适当的WWW-Authenticate标头值? [英] HTTP 401 - what's an appropriate WWW-Authenticate header value?
问题描述
我正在处理的应用程序有一个会话超时值。如果用户的交互时间不超过此值,则会尝试加载下一页,系统会提示他们登录。
The application I'm working on at the moment has a session timeout value. If the user hasn't interacted for longer than this value, the next page they try to load, they will be prompted to log in.
所有请求都是通过这种机制,包括AJAX调用。最初我们在登录页面上发送了200个头文件,这引入了一些AJAX问题,因为如果发送了200个响应,代码就会运行,并且从这些RPC调用发回的大多数数据都是JSON或得到评估的原始JavaScript(不要问:|)。
All requests made are routed through this mechanism, which includes AJAX calls. Originally we were sending a 200 header with the login page, which introduces some problems with AJAX since code is run if a 200 response is sent, and most data sent back from these RPC calls is JSON or raw JavaScript that gets evaluated (don't ask :|).
我建议401更好,因为我们的JSON解析器不会尝试使用HTML登录页面.. :))
I've suggested that a 401 is better, since our JSON parser won't try to consume an HTML login page.. :)
阅读时但是,我注意到还必须发送 WWW-Authenticate 字段。
When reading the spec, however, I noticed that the WWW-Authenticate field must also be sent.
这个领域有什么好处?将应用程序登录足够吗?
What is a good value for this field? Will Application Login suffice?
推荐答案
当指示HTTP基本身份验证时,我们返回类似于:
When indicating HTTP Basic Authentication we return something like:
WWW-Authenticate: Basic realm="myRealm"
而 Basic 是方案,其余部分非常依赖于该方案。在这种情况下,领域只是为浏览器提供了一个文字,当提示输入用户ID和密码时,该文字可以显示给用户。
Whereas Basic is the scheme and the remainder is very much dependent on that scheme. In this case realm just provides the browser a literal that can be displayed to the user when prompting for the user id and password.
你显然没有使用Basic,因为使用Basic Auth时,会话到期没有意义。我假设你正在使用某种形式的基于表单的身份验证。
You're obviously not using Basic however since there is no point having session expiry when Basic Auth is used. I assume you're using some form of Forms based authentication.
从回忆中,Windows质询响应使用不同的方案和不同的参数。
From recollection, Windows Challenge Response uses a different scheme and different arguments.
诀窍在于它取决于浏览器确定它支持的方案以及它如何响应它们。
The trick is that it's up to the browser to determine what schemes it supports and how it responds to them.
如果你是我的直觉使用基于表单的身份验证将保留200 +重新登录页面,但添加一个浏览器将忽略但您的AJAX可以识别的自定义标头。
My gut feel if you are using forms based authentication is to stay with the 200 + relogin page but add a custom header that the browser will ignore but your AJAX can identify.
对于一个非常好的用户+ AJAX体验,让脚本挂起发现会话过期的AJAX请求,通过弹出窗口触发重新登录请求,并在成功时重新提交原始AJAX请求并继续正常运行。
For a really good User + AJAX experience, get the script to hang on to the AJAX request that found the session expired, fire off a relogin request via a popup, and on success, resubmit the original AJAX request and carry on as normal.
避免作弊只是让脚本每隔5分钟就到达网站以保持会话活着,因为这会破坏会话到期点。
Avoid the cheat that just gets the script to hit the site every 5 mins to keep the session alive cause that just defeats the point of session expiry.
另一种选择是烧掉AJAX请求,但那是一个糟糕的用户体验。
The other alternative is burn the AJAX request but that's a poor user experience.
这篇关于HTTP 401 - 什么是适当的WWW-Authenticate标头值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
