[Web-SIG] Communicating authenticated user information

Alan Kennedy pywebsig at xhaus.com
Sun Jan 22 20:08:05 CET 2006

[Alan Kennedy]
>> I agree about not sending this information back to the user: it's
>> unnecessary and potentially dangerous.

[Phillip J. Eby]
> Yep, it would be really dangerous to let me know who I just logged in to 
> an application as.  I might find out who I really am! ;)

Very droll ;-)

What if other information, such as meta-information about the auth 
directory or database in which the credentials were looked up, was also 
communicated through X-headers, e.g. server connection details, etc.

Happy for that to go back to the user too?

If X-headers are to be used in WSGI, I think there should be something 
in the spec about whether or not they should be transmitted to the user.


More information about the Web-SIG mailing list