W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

Re: Chained proxies, persistent connections, authentication

From: Dave Kristol <dmk@acm.org>
Date: Thu, 23 Oct 2003 11:34:25 -0400 (EDT)
Message-ID: <3F97F4D3.3090703@acm.org>
To: Rob Maidment <rob.maidment@clearswift.com>
Cc: "'ietf-http-wg@w3.org'" <ietf-http-wg@w3.org>

Rob Maidment wrote:
> I am currently investigating a problem that occurs in this type of 
> scenario:
> browser -> proxy1 -> proxy2 -> server
> Proxy1 is actually a Squid proxy, it is passing though the end-user 
> authentication to proxy2.  The problem occurs because proxy1 is reusing 
> connections to proxy2 for requests from different users, but proxy2 is 
> only authenticating the first request on each new connection.  This 
> means that subsequent requests are not being authenticated, and these 
> requests are being treated as if they originated from the first user to 
> use the connection. 
> Which proxy is at fault?  I understood that one of the intended benefits 
> of persistent connections was that a proxy would only have to 
> authenticate the first request on each connection, which is a huge 
> performance benefit.  But ths assumes that a downstream proxy that 
> passes through user authentication will not re-use the connection for 
> different users.  Having said that, so far I have been unable to find 
> any specification that says a proxy need only authenticate the first 
> request on each connection.

IMO, proxy1 is at fault.  Proxy-authenticate is a hop-by-hop header.  Proxy1 can 
authenticate itself to proxy2, but the browser cannot (according to the 
standard) authenticate *itself* to proxy2, only to proxy1.  If the 
authentication adhered to that rule, the persistent connection between proxies 1 
and 2 would be managed correctly.

Dave Kristol
Received on Thursday, 23 October 2003 11:43:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:24 UTC