[ietf-nntp] Reauthentication?
Jeffrey M. Vinocur
jeff at litech.org
Tue Jun 15 15:41:50 PDT 2004
On Tue, 25 May 2004, Ken Murchison wrote:
> Does anyone have strong feelings on either requiring or disallowing
> reauthentication within a single NNTP session?
>
> Unless there is an existing requirement, I'd like to disallow it since
> it gets messy when SASL is involved. None of the other messaging
> protocols allow it either.
Since no one objected, Ken added the following text:
After an AUTHINFO command has been successfully completed, no more
AUTHINFO commands may be issued in the same session. After a suc-
cessful AUTHINFO command completes, a server MUST reject any fur-
ther AUTHINFO commands with a 502 response.
Which raises a followup question.
Is the server permitted to return 480 to a client that has already
authenticated? I would say not, since we're forbidding reauthentication
(but as there is a not entirely unreasonable argument for doing so in
order to guide the client into knowing when it might still be missing some
access rights, I just wanted to mention it).
If there's no further discussion, and Ken agrees, we'll add text
forbidding the server to return 480 in the authenticated state.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list