Forcing MSIE to re-authenticate with proxy each time it starts

From: Armistead, Jason <>
Date: Wed, 06 Aug 1997 03:41:29 -0400


I'm using Squid 1.1.11 on Solaris 2.5.1 with the acl_proxy_auth_patch
1.1.11 applied (and compiled in).

All Internet access from our site has to be approved by management,
hence the use of Proxy Authorisation ACLs.

I want to force MSIE (Microsoft Internet Explorer) users to not be able
to cache their Proxy Authenticate username/password combos in their
password file (username.PWL in C:\WINDOWS), so they can't select the
"Save this password in your password list" box.

Basically this is to prevent after hours access to the proxy server by
people who could otherwise just allow MSIE to use an authenticated users
password information to gain access. e.g. night-shift factory workers
with an appetite for XXX rated materials using the day shift bosses

I also want to make sure that each day when MSIE is started, the "real"
user has to make a conscious effort to enter his/her credentials before
the Proxy will let them gain access.

Has anyone developed such functionality in the form of a patch/hack ?

I was thinking of adding to the PROXY_AUTH_ERR_MSG an extra part in the
realm which contains some sort of changing realm info e.g. part of the
date returned by asctime such as "Wed Aug 6", or simply "Aug 6". That
would force at least 1 years worth of different realm challenges to the
browser. Maybe I'd issue a different challenge after "normal" hours of
5pm, to catch out any after hours "sneaks". So far I've got half of it
together and it seems to work.

Of course, there is a problem in that MSIE stores cached passwords in
the username.PWL file in C:\WINDOWS, and this has a tendency to grow
each time a new realm is presented. (They seem to have worked out the
security issues in relation to cracking passwords). Does anyone know if
the PWL file automatically "expires" and purges old passwords that
haven't been used for more than a certain period ? That would be nice,
and would save me worrying about some hideous undocumented Win 95
limitation. Maybe I could write a program along the lines of the
PWLedit program that Microsoft throws into the Admin\Apptools\Pwledit
directory of the Win95 CD-ROM ? Any suggestions welcome !!!!

Maybe I'm paranoid, but I don't want legitimate users suddenly having
log files which reveal apparent breaches of our Internet guidelines
policy, only to find out they aren't responsible at all......


Jason Armistead
Received on Wed Aug 06 1997 - 00:58:03 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:56 MST