Chained proxies, persistent connections, authentication

I am currently investigating a problem that occurs in this type of scenario:

browser -> proxy1 -> proxy2 -> server

Proxy1 is actually a Squid proxy, it is passing though the end-user
authentication to proxy2.  The problem occurs because proxy1 is reusing
connections to proxy2 for requests from different users, but proxy2 is only
authenticating the first request on each new connection.  This means that
subsequent requests are not being authenticated, and these requests are
being treated as if they originated from the first user to use the
connection.  

Which proxy is at fault?  I understood that one of the intended benefits of
persistent connections was that a proxy would only have to authenticate the
first request on each connection, which is a huge performance benefit.  But
ths assumes that a downstream proxy that passes through user authentication
will not re-use the connection for different users.  Having said that, so
far I have been unable to find any specification that says a proxy need only
authenticate the first request on each connection.

I'd appreciate any thoughts on the matter,


Rob Maidment.



---------------------------------------------------------------------------------------------------------------
Clearswift monitors, controls and protects all its messaging traffic in 
compliance with its corporate email policy using Clearswift products. 
Find out more about Clearswift, its solutions and services at 
www.clearswift.com.
***********************************************************************************
This communication is confidential and may contain privileged 
information intended solely for the named addressee(s). It may not 
be used or disclosed except for the purpose for which it has been 
sent. If you are not the intended recipient, you must not copy, 
distribute or take any action in reliance on it. Unless expressly stated, 
opinions in this message are those of the individual sender and not of 
Clearswift. If you have received this communication in error, please 
notify Clearswift by emailing support@clearswift.com quoting the 
sender and delete the message and any attached documents. Clearswift accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the Clearswift domain.
This footnote confirms that this email message has been swept by 
MIMEsweeper for Content Security threats, including computer viruses.

Received on Thursday, 23 October 2003 10:31:51 UTC