I have the following problem: a user connects (via squid)
to a site that requires authentication. The site returns a
401, the client sends an "Authorization: Basic" and specifies
"Connection: Keep-Alive". The site delivers the page, and squid
keeps the connection open. Now a different client connects
before pconn_timeout expires, requesting the same page without
"Authorization:". squid issues the request over the same fd,
and the server delivers the page.
I'm trying to make the case that the server is at fault for
not checking the authorization on each request (not connection).
I believe that Henrik feels the same
(http://www.squid-cache.org/mail-archive/squid-dev/200010/0138.html)
but I can't identify the passage that supports this POV. The
closest I can get is in RFC2617 sec 2:
A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server
This seems (to me) to imply that the server will check every request
for authorization, why else would the header be sent preemptively?
However, I can't find this stated anywhere (ie a server MUST check
every *request* for protected URIs for authorization).
Anybody got any pointers?
Thanks,
Rick.
-- Rick Lyons WebCentralReceived on Wed Jul 04 2001 - 01:26:00 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:00 MST