W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

RE: Chained proxies, persistent connections, authentication

From: Paul Leach <paulle@windows.microsoft.com>
Date: Thu, 23 Oct 2003 16:44:25 -0400 (EDT)
Message-ID: <91D7F2CEE3425A4A9D11311D09FCE2460565977F@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
To: "Rob Maidment" <rob.maidment@clearswift.com>, <ietf-http-wg@w3.org>
Yes, but as it also states, these would be "improvements" to HTTP. The
necessary improvements were not incorporatedto enable the benefit.
IMO, doing authentication for otherwise unprotected connections is only
adequate for very low value services. Anything of even moderate value needs
to use SSL (not just for privacy, but also for integrity) and in that case
HTTP dictates that the connection not be shared.


From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On
Behalf Of Rob Maidment
Sent: Thursday, October 23, 2003 8:45 AM
To: 'ietf-http-wg@w3.org'
Subject: RE: Chained proxies, persistent connections, authentication

Just to throw some more fuel on the fire, this is an excerpt from WRL
Research Report 95/4 "The Case for Persistent-Connection HTTP" (Jeffrey
Mogul, May 95):

"A persistent-connection model for Web access potentially provides the
opportunity for other 
improvements to HTTP [20]. For example, if authentication could be done
per-connection rather 
than per-request, that should significantly reduce the cost of robust
authentication, and so might 
speed its acceptance." 


	 -----Original Message----- 
From:   Rob Maidment  
Sent:   23 October 2003 15:32 
To:     'ietf-http-wg@w3.org' 
Subject:        Chained proxies, persistent connections, authentication 

	I am currently investigating a problem that occurs in this type of

	browser -> proxy1 -> proxy2 -> server 

	Proxy1 is actually a Squid proxy, it is passing though the end-user
authentication to proxy2.  The problem occurs because proxy1 is reusing
connections to proxy2 for requests from different users, but proxy2 is only
authenticating the first request on each new connection.  This means that
subsequent requests are not being authenticated, and these requests are
being treated as if they originated from the first user to use the

	Which proxy is at fault?  I understood that one of the intended
benefits of persistent connections was that a proxy would only have to
authenticate the first request on each connection, which is a huge
performance benefit.  But ths assumes that a downstream proxy that passes
through user authentication will not re-use the connection for different
users.  Having said that, so far I have been unable to find any
specification that says a proxy need only authenticate the first request on
each connection.

	I'd appreciate any thoughts on the matter, 

	Rob Maidment. 

Clearswift monitors, controls and protects all its messaging traffic in 
compliance with its corporate email policy using Clearswift products. 
Find out more about Clearswift, its solutions and services at 
This communication is confidential and may contain privileged 
information intended solely for the named addressee(s). It may not 
be used or disclosed except for the purpose for which it has been 
sent. If you are not the intended recipient, you must not copy, 
distribute or take any action in reliance on it. Unless expressly stated, 
opinions in this message are those of the individual sender and not of 
Clearswift. If you have received this communication in error, please 
notify Clearswift by emailing support@clearswift.com quoting the 
sender and delete the message and any attached documents. Clearswift accepts
no liability or responsibility for any onward transmission or use of emails
and attachments having left the Clearswift domain.
This footnote confirms that this email message has been swept by 
MIMEsweeper for Content Security threats, including computer viruses.

Received on Thursday, 23 October 2003 16:53:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:24 UTC