> Whatever is used will need to know who is authenticated and what they are
> allowed to see. If one of the two key properties are not known then any
> authorization cannot take place.
>
> If the clients are behaving and adding Referer headers (completely
> optional) you may get away with an ACL that checks the referrer is on teh
> accepted sites list. However, this will permit one link out of the secured
> area to be taken by anyone, AND a bad client can easily forge Referer: to
> get around all your protections.
>
> With a lot of luck and some coding you could create something that
> processes pages as they come in and lets certain URL (ie img/object
> href's) through, but either way its a bigger risk than non-customer
> annoyance.
>
Thanks Amos,
The most annoying thing for non-authenticated users is that the
authentication pop-up keeps coming, even if he presses escape, on the
new request the pop-up comes back. I was thinking of a setting in
squid where it remembers for a given period that the ip is not
authenticated, without asking again and again.
Received on Sat Nov 17 2007 - 00:57:33 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST