On Tue, Dec 7, 2010 at 10:19 AM, Benoit Chesneau <bchesn...@gmail.com> wrote: > Which is wrong if we follow the spec. "The response MUST include a > WWW-Authenticate header field [..] [1] . It also introduce some bugs, > try for example to create a database when not logged. > > The reason we use a 302 actually is for couchapps. I think we should > change that behavior: > > 1. Provide appropriate HTTP response by default > 2. Use the tricks of cookie auth (specific header) to let the > CouchApps access to CouchDB. Something like "X-Auth-..." headre in the > request that notify us we need to send a response that will not > raises the dialog box in browsers.
Benoît, I'm not a CouchApps developer, so I'm not completely aware of all the issues involved. Nevertheless, I support your idea. The issue you describe is related to https://issues.apache.org/jira/browse/COUCHDB-972 I think. > > Thoughts ? > > [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 > > > - benoît > -- Filipe David Manana, fdman...@gmail.com, fdman...@apache.org "Reasonable men adapt themselves to the world. Unreasonable men adapt the world to themselves. That's why all progress depends on unreasonable men."