- From: Dave Kristol <dmk@acm.org>
- Date: Thu, 23 Oct 2003 11:34:25 -0400 (EDT)
- To: Rob Maidment <rob.maidment@clearswift.com>
- Cc: "'ietf-http-wg@w3.org'" <ietf-http-wg@w3.org>
Rob Maidment wrote: > > > I am currently investigating a problem that occurs in this type of > scenario: > > browser -> proxy1 -> proxy2 -> server > > Proxy1 is actually a Squid proxy, it is passing though the end-user > authentication to proxy2. The problem occurs because proxy1 is reusing > connections to proxy2 for requests from different users, but proxy2 is > only authenticating the first request on each new connection. This > means that subsequent requests are not being authenticated, and these > requests are being treated as if they originated from the first user to > use the connection. > > Which proxy is at fault? I understood that one of the intended benefits > of persistent connections was that a proxy would only have to > authenticate the first request on each connection, which is a huge > performance benefit. But ths assumes that a downstream proxy that > passes through user authentication will not re-use the connection for > different users. Having said that, so far I have been unable to find > any specification that says a proxy need only authenticate the first > request on each connection. IMO, proxy1 is at fault. Proxy-authenticate is a hop-by-hop header. Proxy1 can authenticate itself to proxy2, but the browser cannot (according to the standard) authenticate *itself* to proxy2, only to proxy1. If the authentication adhered to that rule, the persistent connection between proxies 1 and 2 would be managed correctly. Dave Kristol
Received on Thursday, 23 October 2003 11:43:25 UTC