On Thu, 23 Jun 2005, Kinkie wrote:
> How do you plan to get around the fact that cookies are tied to at most
> the second-level domain of the URL the user is visiting?
What you do is that to define one server name as the "login server". When
seeing a request without the needed cookie you redirect to the login
server including the requested URL as argument, and the login server
responds by returing a set of cookies suitable for both itself and the
requested domain. Already done that in reverse-proxy setups where no
modification to Squid is required at all (just some acl helpers to verify
the used cookies, and a suitable deny_info directive).
But as Kinkie said, this is not a wonderful thing to do for intercepting
proxies. You both risk flooding the client with cookies, and also the
needed redirection itn't always safe. Most notably you can only redirect
GET requests in this manner, and if the first request for a new domain is
POST or something else you get into trouble..
Another thing to consider for doing this in a intercepting Squid proxy is
that you need to extend Squid to not forward your login cookie. You do not
want this information to leak out on the Internet as it is both a security
and a privacy threat. You must also be careful in selecting the name of
your cookie to not collide with any cookies the accessed Internet servers
may use.
Regards
Henrik
Received on Fri Jun 24 2005 - 13:59:35 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Jun 30 2005 - 12:00:05 MDT