- From: Scott Lawrence <scott-http@skrb.org>
- Date: Thu, 23 Oct 2003 12:57:46 -0400 (EDT)
- To: <rob.maidment@clearswift.com>
- Cc: <ietf-http-wg@w3.org>
> > I am currently investigating a problem that occurs in this type of > scenario: > > browser -> proxy1 -> proxy2 -> server > > Proxy1 is actually a Squid proxy, it is passing though the end-user > authentication to proxy2. The problem occurs because proxy1 is reusing > connections to proxy2 for requests from different users, but proxy2 is > only authenticating the first request on each new connection. This > means that subsequent requests are not being authenticated, and these > requests are being treated as if they originated from the first user to > use the connection. You're not clear on what's happening here - what authentication header is proxy2 interpreting? As a proxy, it should not be using the Authorization header at all - that is for 'server', not any proxy. As Dave pointed out, proxy1 should not be passing through any Proxy-Authorization header because that is a hop-by-hop header; if proxy2 is challenging by sending a 407, then only proxy1 can respond to that challenge (not intuitive, and perhaps not optimal, but that is what the standard says). In any event, proxy2 is incorrect to associate the connection with the authentication of the first request on that connection; all requests are stateless, including authentication attributes. Each request must be authenticated on its own - this is _not_ one of the _actual_ benefits of persistent connections.
Received on Thursday, 23 October 2003 12:57:46 UTC