Re: [squid-users] Basic authentication, Connection: keep-alive and IIS

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 4 Jul 2001 17:57:15 +1000

----- Original Message -----
From: <frob@webcentral.com.au>
To: <squid-users@squid-cache.org>
Sent: Wednesday, July 04, 2001 5:25 PM
Subject: [squid-users] Basic authentication, Connection: keep-alive and IIS

> I have the following problem: a user connects (via squid)
> to a site that requires authentication. The site returns a
> 401, the client sends an "Authorization: Basic" and specifies
> "Connection: Keep-Alive". The site delivers the page, and squid
> keeps the connection open. Now a different client connects
> before pconn_timeout expires, requesting the same page without
> "Authorization:". squid issues the request over the same fd,
> and the server delivers the page.
>
> I'm trying to make the case that the server is at fault for
> not checking the authorization on each request (not connection).
> I believe that Henrik feels the same
> (http://www.squid-cache.org/mail-archive/squid-dev/200010/0138.html)
> but I can't identify the passage that supports this POV. The
> closest I can get is in RFC2617 sec 2:
>
> A client MAY preemptively send the
> corresponding Authorization header with requests for resources in
> that space without receipt of another challenge from the server
>
> This seems (to me) to imply that the server will check every request
> for authorization, why else would the header be sent preemptively?
> However, I can't find this stated anywhere (ie a server MUST check
> every *request* for protected URIs for authorization).
>
> Anybody got any pointers?

Yes. The Authorization header is defined as a message header.

Rob

>
> Thanks,
> Rick.
>
> --
> Rick Lyons
> WebCentral
>
Received on Wed Jul 04 2001 - 01:54:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:00 MST