Proxy authentication

[Q: Where/why did the www-proxy list disappear?  I can't see a more
appropriate replacement on http://www.w3.org/pub/WWW/Mail/Lists.html]

I've just had a query (or complaint) from a user who is having trouble
accessing sites through a proxy server.  It turns out that this proxy
(CERN/3.0 according to its Server: header) wants authentication before it
will proxy stuff.  I gather that this is a proxy used for dialup accounts,
and that the administrators wish to restrict its use to those dialup
customers.

The problem is that it responds using a status code of 401 and not 407.
Whilst my browser will quite happily perform proxy authentication if it
receives a 407 response, it considers a 401 response to mean that the
target server requires authentication, and not the proxy.  Not
unreasonable, seeing as the WWW-Authenticate header does not specify a
hostname, only the authentication type and the realm.  Since my browser
caches successful authentication checks by (host,realm,dir,auth) tuples,
every time my user accesses a page on a different host, authentication is
asked for again.

According to this user, Netscape also suffers from this problem, but
MS-IE doesn't.

First question: Is the proxy wrong to send a 401 response when it is the
proxy that requires the authentication?  (I think it is) 

Second question: Now I can't see any way that MS-IE can possibly know
to send the authentication every time.  Is it resending purely based on
the realm in the WWW-Authenticate directive?  If so, isn't this quite a
large security problem, especially since the basic authentication
scheme only uses BASE64 encoding?  (If I set my own server up with the
same realm as another, then I'll receive the authentication header from
the client and could quite easily misuse that information).

-- 
Stewart Brodie, Electronics & Computer Science, Southampton University.
http://www.ecs.soton.ac.uk/~snb94r/      http://delenn.ecs.soton.ac.uk/

Received on Wednesday, 10 July 1996 08:14:48 UTC