Re: [squid-users] Basic authentication, Connection: keep-alive and IIS

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 05 Jul 2001 12:53:50 +0200

frob@webcentral.com.au wrote:
>
> I have the following problem: a user connects (via squid)
> to a site that requires authentication. The site returns a
> 401, the client sends an "Authorization: Basic" and specifies
> "Connection: Keep-Alive". The site delivers the page, and squid
> keeps the connection open. Now a different client connects
> before pconn_timeout expires, requesting the same page without
> "Authorization:". squid issues the request over the same fd,
> and the server delivers the page.

So the site is broken and allows unauthorized access (simply ask again
and you are in).

> I'm trying to make the case that the server is at fault for
> not checking the authorization on each request (not connection).
> I believe that Henrik feels the same
> (http://www.squid-cache.org/mail-archive/squid-dev/200010/0138.html)
> but I can't identify the passage that supports this POV. The
> closest I can get is in RFC2617 sec 2:

It is request that is authorized in HTTP, not connections.

Connection persistence is a hop-by-hop feature, not an end-to-end
feature.

> This seems (to me) to imply that the server will check every request
> for authorization, why else would the header be sent preemptively?

Servers MUST check on every request as authorization is part of the
request, not connection. If there is no authorization header in the
request then it is not.

--
Henrik Nordstrom
Squid Hacker
Received on Thu Jul 05 2001 - 04:53:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:01 MST