RE: passing on Proxy Authentication

> -----Original Message-----
> From: Nottingham, Mark (Australia)
> [mailto:mark_nottingham@exchange.au.ml.com]
> Sent: Sunday, September 13, 1998 4:57 PM
> To: Paul Leach; http-wg@hplb.hpl.hp.com
> Subject: RE: passing on Proxy Authentication
> 
> will include a
> Proxy-Authorization header. What I'm suggesting is that the 
> proxy could be
> configured to translate that into a Authorization header and 
> pass it on to
> selected Web servers (foo, bar, and baz, perhaps *.foo.com, but never
> anything else), so that the user does not need to re-authenticate
> themselves.
>
Technically, there is nothing that stops you from writing
a proxy to do this.  (Or to create a ISAPI, NSAPI, module, etc to do same)
However, I would recommend against it.
You'd need to maintain lists on your proxy of which hosts
are part of which domain so that a rogue web server doesnt
ask for credentials that it is not a part of.
In general, this would be misapplying the intent of proxy-authorization.

In addition, I beleive the way people tackle this today is by using cookies.
You need to make sure all services are really in the same dns domain
and follows the cookie security guidelines.

The best way to solve this, IMHO, is to propose a new authentication
scheme (other than basic and digest) to provide this functionality.

---
Josh Cohen <joshco@microsoft.com>
IE Program Manager Lead - Networking
  

Received on Monday, 14 September 1998 03:05:46 UTC