On Wed, Sep 16, 2009 at 22:36, Vidar Ramdal <vi...@idium.no> wrote: > I think this is due to the way the browser handles HTTP > authentication. If I remember correctly: > > When you request /a/b.html?sling:authRequestLogin, and gets a HTTP > login dialog, the browser stores the credentials for the path /a/b > (and all paths underneath it). > Thus, the browser will not send the credentials when you request > /a/c.html, since that path is not underneath /a/b. > > However, if you request /a?sling:authRequestLogin first, auth headers > will be sent on subsequent requests to /a/b and /a/c.
Right, and this can be different from browser to browser. In my experience, Firefox and IE are not that strict and will apply cached credentials for the same realm on the entire domain (eg. my.app.com/), so you shouldn't see this problem with them (but I am not sure, maybe it is only the case in certain versions of them). Safari and Chrome (ie. Webkit-based ones, although HTTP and Credential handling is not part of the core Webkit code) are more strict and will definitely apply them for a given resource and its "tree" below. They will also only cache credentials that were entered manually, ie. any XHR trick to pass in the credentials while avoiding the (ugly) browser login dialog will fail there. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com