Re: Greetings / cookie auth for transparent mode

From: Kinkie <kinkie-dev@dont-contact.us>
Date: Thu, 23 Jun 2005 10:36:18 +0200

On Wed, 2005-06-22 at 10:09 -0400, Mark Bouldin wrote:
> Greetings all Squid developers,
>
> First off, thanks for all your hard work - Squid is a great proxy and a
> credit to the open source community.
>
> I use Squid at work, and hope to contribute back to the Squid project
> and add some functionality for my employer at the same time.
>
> In particular, I'm interested in adding an authentication mechanism that
> can be used in transparent proxying mode. I've seen this idea used in
> at least one commercial proxy; the basic idea is to redirect all
> unauthenticated traffic to HTTPS on a local web server (Apache), which
> allows the user to sign in, and sets a cookie in the client browser that
> will last for the life of the browser (or possibly have a time limit,
> e.g. 24 hours).
>
> The process would go like this:
> 1) Client opens browser which attempts to go to some homepage, e.g.
> google
> 2) Squid intercepts the request in transparent mode, checks for its
> authentication cookie, and not finding it, redirects the browser to a
> local Apache server.
> 3) The local Apache server presents a login form, and once the user has
> successfully authenticated, assigns a cookie. The
> cookie/username/IP/timelimit/etc would be stored in either a MySQL or
> Berkeley database.
> 4) Squid intercepts any subsequent requests, finds the authentication
> cookie, and passes this info to an authentication helper program. The
> helper program checks the MySQL/Berkeley DB, finds the user is
> authenticated, and returns a successful result to Squid, which fulfills
> the request.

How do you plan to get around the fact that cookies are tied to at most
the second-level domain of the URL the user is visiting?

i.e.
user visits http://foo.com/
squid detects no auth
apache authenticates and sets cookie for *.foo.com and redirects user to
original page
user browses foo.com
user finds a link to http://bar.com/ and follows it
cookie is tied to foo.com, so browser doesn't send any cookie
squid detects no auth
apache authenticates etc etc etc

?

Only alternative I see is for apache to be explicitly referenced by the
client and using a cookie of its own to determine whether the user
already authenticated so not to show the authentication dialog.

Pros:
- transparent authentication - good
Cons:
- inefficient (might not be a problem)
- floods the user-agent with cookies (and remember that the original
specifications called for 300 cookies stored on the client and it was a
"should"-type requirement.

As for the feasibility, it should be pretty easy using an external type
ACL, without needing to go through the squid core code.

        Kinkie
Received on Thu Jun 23 2005 - 02:36:24 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 30 2005 - 12:00:05 MDT