Re: problems with the squid-2.5 connection pinning

From: Kinkie <kinkie-dev@dont-contact.us>
Date: Sat, 15 Apr 2006 18:01:56 +0200

On Sat, 2006-04-15 at 17:03 +0200, Henrik Nordstrom wrote:
> lör 2006-04-15 klockan 09:10 +0800 skrev Steven Wilton:
>
> > Is it really a problem if the client is sent a new auth challenge? If the
> > client connection is closed because the server went away, the client will
> > most likely need to refresh the page, which will result in a new auth
> > challenge being issued anyway.
>
> Yes, but here the client expects the auth challenge.
>
> The problem with sending a new auth challenge on an already
> authenticated NTLM/Negotiate is that as far as the client knows this
> connection to the web server is already authenticated, and receiving a
> new auth challenge on the same connection can only mean that the
> previously sent credentials isn't acceptable for the requested object
> and the end-user has to be queried for a new login.. or at least so is
> the principle behind how authentication works in HTTP. Now with
> Microsoft already ignoring the specifications in many other aspects they
> probably ignore this as well..

IIRC they do. They just accept the new challenge and re-auth. Only case
when the user gets an auth-prompt is when a 407 is sent back on an
AUTHENTICATE packet.
But closing the connection is in any case less prone to interpretation
doubts.

        Kinkie
Received on Sat Apr 15 2006 - 10:57:40 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:03 MDT