I would like to have a site where some content is public while some other is only visible for authenticated users. So authentication would be possible, but not required. I would like to know if this is possible.
Some background:
To tell the client authentication is available in the first place I need to send some headers. As I understand RFC 2617 the ‘WWW-Authenticate’ header field MUST always be part of a ‘401 (Unauthorized)’ response.
Now some clients (e.g. wget) will stop trying when they get a 401 header (wget actually uses the term ‘Authorization Required’ rather than ‘Unauthorized’).
So is this a wget bug or is there no such thing as optional http basic auth?
401 Unauthorizedis specifically for when authorization is required but not provided (or not provided correctly.In your scenario, you’d only send the
WWW-Authenticateheader for requests that require authentication – if the auth is cancelled or not satisfactory, you then return401.Users would not be prompted to auth until making a request that requires it. No requests have optional authentication – the request is either allowed to anonymous users or not.
It’s worth noting that HTTP auth is a bad choice for website logins, for a few reasons:
HTTP auth comes from an era when sites were static, so security was dealt with at a webserver level.