ietf-nntp Multiple AUTHINFOs per session
Andrew Gierth
andrew at erlenstar.demon.co.uk
Sun Jan 5 17:40:23 PST 2003
>>>>> "Jeffrey" == Jeffrey M Vinocur <jeff at litech.org> writes:
Jeffrey> Ken has raised the issue of whether a client should be able
Jeffrey> to AUTHINFO multiple times in the same session. Some
Jeffrey> observations:
Jeffrey> - If an AUTHINFO fails, the client should be able to retry
Jeffrey> (unless the server has chosen to close the connection).
Jeffrey> Agreed?
The usual case on failed authentication is to send the 502 response and
close the connection.
There seems to be no obvious reason to allow clients to retry a failed
authentication.
Jeffrey> - INN at least permits clients to use AUTHINFO USER/PASS
Jeffrey> multiple times. Do other servers do the same?
in many cases it's awkward to actually change the credentials
associated with the session. I know that some servers will accept and
ignore subsequent AUTHINFO commands once the user is authorised (either
by IP or by previous AUTHINFO command).
Jeffrey> (Of course, I suspect few if any clients actually attempt
Jeffrey> this functionality. Anyone know about that?)
I've not heard of any client legitimately trying to do this.
The usual (almost universal) assumption is that authentication is for
a whole session, that it's done once either by the client at session
startup or in response to the first 480 error.
--
Andrew.
More information about the ietf-nntp
mailing list