Think about this: A no-authentication required page (say a frameset) includes
other authentication-required objects (pages in frames, as an example, or images
or whatnot).
Browser parallelises the fetches to some limited degree. Each one comes back with
a 401 Authentication Required, and the browser dutifully pops the box up for it.
Each and every time. If the authentication dialog was application-modal, the
username and password would be available for at least some of the subsequent
requests, and the user wouldn't be prompted much further.
This also happens if the encapsulating page is in a different authentication
domain to it's children.
D
Brett Lymn wrote:
> Folks,
> I am running Squid-2.2stable5 with smb_auth v0.04 on some
> Solaris 2.6 boxen. I have the authentication set up so that our users
> authenticate against our NT domain before they can surf external
> sites.
>
> For the most part this works like a charm, the user pops in their
> username and password and away they go. But there are some sites
> where the user is prompted over and over again to authenticate. If
> the user cancels all the extra authentication prompts and reloads the
> page then things work ok. From what I can see it appears that this
> problem occurs when there are links embedded into javascript buttons,
> www.hp.com was the first occurrence of the problem we saw here. Has
> anyone any clues about how we can stop this happening?
>
> BTW there was a method of stealing someone elses authentication posted
> on Bugtraq not long ago, does v2.2-stable5 close this hole? I could
> not see it in the ChangeLog.
>
> --
> ===============================================================================
> Brett Lymn, Computer Systems Administrator, British Aerospace Australia
> ===============================================================================
Received on Thu Jan 27 2000 - 00:01:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:44 MST