-----Original Message-----
From: adrian.wells [mailto:adrian.wells@sidcot.org.uk]
Sent: Thursday, September 23, 2004 11:01 AM
To: Martyn Bright; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid and Apache Authentication
Just an idea,
Would it be possible to do this by creating a random name for the login/PW
form controls using say PHP? therefore (as I understand it) IE et al would
not be able to offer an entry to an unknown form control. I assume it sees
"login", recognises the typed name and looks up the PW from it's database.
Of course I may be way wrong! :-) Maybe a random page title would work in
just the same way?
Kind regards
Adrian Wells
~~~~~~~~~~~~
~~~~~~~~~~~~
Mozilla does this when I hit pages with forms too. It asks me if I'd like to
save the field values for the page that I'm on. This isn't controlled at a
proxy or the webserver, it is a browser setting that I can turn on or off.
The basic auth pop up box, that has a built in checkbox/statement that reads
"remember my password". A form based sign in can get around that, but then
you have the above issue where the browser may still offer to save the
username/password for that particular page.
Chris
----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Martyn Bright" <brightm@trml.co.uk>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, September 23, 2004 11:56 AM
Subject: RE: [squid-users] Squid and Apache Authentication
> On Thu, 23 Sep 2004, Martyn Bright wrote:
>
> > A specific external site (that I do not control) the users need is https
and
> > not available via the remote proxy - squid goes to it directly.
> >
> > I need the users to authorize before they connect to this specific site.
> > Unfortunately with basic auth, IE helps(!!!) by offering to remember the
> > users password details. I cannot allow this as the clients are
accessible
> > by the public and must not be able to get to the secure site without
having
> > to type in a password. I know I can disable this IE helper
functionality in
> > windows, but that will stop it for all sites which is not what I want.
> >
> > I figured that if I pass authentication control to a web page of my own,
I
> > should be able to stop IE from interfering.
>
> Not really. If IE understands this page contains a password form it still
> allows you to save the password...
>
> And since the site is using https the proxy has no means of modifying the
> requests or add/delete any information while forwarding the request. All
> the proxy sees is that the browser wants to connect and do something at
> the requested side, nothing more.
>
> If the site was using http then Squid would be able to use other means of
> providing the authentication credentials, but with https sites the
> encryption considerably limits the man-in-the-middle capabilities.
>
> Regards
> Henrik
>
Received on Thu Sep 23 2004 - 09:20:41 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:03 MDT