Computer and information networks such as the Internet allow users of computer systems to exchange data using a variety of mechanisms and techniques. As an example, a user controlling a web browser software application operating on a client computer system coupled to a local area network (LAN) can select a hyperlink that corresponds to a data (e.g., a web page) stored on (or served by) a web server computer system coupled to a wide area network (WAN) such as the Internet. The two networks (i.e., the LAN and the WAN) may be coupled by one or more data communications devices such as edge routers or switches that may operate as gateways or firewalls between the two networks. In response to the user's selection of the hyperlink, the web browser uses one or more protocols such as a HyperText Transport Protocol (HTTP) over the Transmission Control Protocol (TCP) to communicate through the network with a web server software application operating on the web server computer system in order to establish a data communications session between the client computer system and the web server. Once such a session is established, the web server can begin serving or otherwise providing the requested data (e.g., web page or other information) in one or more data packets back to the browser operating on the client computer system. Upon receipt of the data, the browser can render, play or otherwise present the requested data to the user. In this manner, a web site operating as a collection of one or more web servers can serve data serving data to client)
In some situations, an organization operating a web server computer system may desire to restrict access to data that can be served by the web site to one or more users. As an example, a web site operator may require user authentication in order for the user to be able to access certain documents or other data served by the web site. Data communications protocols such as HTTP provide user authentication features that may be enabled in order to protect or restrict access to such documents. As an example, HTTP has authentication features that enable authentication of users either by the hostname of the browser being used or by asking for a username and password from a specific user attempting access to restricted data.
Generally, to enable HTTP user authentication, an administrator or Webmaster of a web site creates a user database of usernames and corresponding passwords. In addition, the administrator configures a realm which designates a section of the web site such as a directory and all of its subdirectories that contain data that requires user authentication for access to the data. Using various other conventional techniques, the administrator can then associate usernames (some or all) or hostnames or hostname/username pairs to the realm (or to certain portions or resources within the realm) in order to specify which users or which hosts (i.e., which client computers) are allowed access to which resources (i.e., to which documents) in the realm provided that those users supply a correct password for such access.
Once properly configured, a conventional web site using the aforementioned user authentication techniques can operate to receive client requests for access (e.g., a user request to access a web page) to a resources within the realm that require authentication. Since a requested resource requires authentication, the server computer system will return an “Unauthorized” status (e.g., in HTTP 401 status) back to the client browser in response to such a request. The unauthorized status will include an authentication response header that identifies the authentication scheme in use (i.e., required) by the server, such as basic authentication requiring a username and password from the user operating the client browser. The browser will then ask the user to enter a username and password and upon entry of such information, the browser will again request access to the resource but this time will include an authentication header within the second request. The authentication header contains the name of the authentication scheme as well as the username and password information entered by the user. Upon receipt of the request containing the authentication header by the server, the server checks the username and password against its authentication database and if they are valid, returns the requested data (e.g., the web page).
Assuming that the username and password are valid, the user might operate the Web browser to provide another request a resource (e.g., another web page) that is protected within the realm (i.e., that requires user authentication). To avoid having to require the user to enter username and password details again for the same realm, conventional browsers are configured to send the authentication header on each subsequent request to the same web server. In this manner, once a user is authenticated for access to the realm for a web server, the user can access other resources of the realm without the requirement of username and password entry.