On Thu, 2002-11-28 at 01:03, Henrik Nordstrom wrote:
> Indeed they have, however, the method as outlined in this I-D only
> works if all proxies in the request chain either supports the
> extension or does not support it at all.
>
> If you have a mix of proxies some supporting the connection pinning
> extension and some not supporting it then very bad things will happen
> as the browser then gets fooled into thinking that connection pinning
> is supported by the request path.
That should not happen. If two proxies are in a chain, the one closest
to the client can only sanely add the session authentication header flag
when it sees a server auth request if
a) that request was not through an upstream, and it has discretion on
future requests.
b) the upstream proxy also added the header.
Rob
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:36 MST