On tor, 2008-07-03 at 15:00 +0100, Joe Tiedeman wrote:
> It seems to be that IIS is sending the 401 response before squid & the
> client have finished sending the initial request to it, after sniffing
> the traffic with wireshark on the client, squid is forwarding the 401
> response before the client has finished posting the data.
The interesting things is what happens after the 401 response. Do Squid
close the connection before the client sent all of the request, or is
the connection kept open allowing the client to continue sending the
request?
What about the connection squid<->webserver?
The microsoft "schemes" NTLM / Negotiate and Kerberos is a bit at odds
with how HTTP authentication works, which causes some quite odd corner
cases.. How things are supposed to work in the "HTTP" way is that the
connection is kept open and request data being read, but the client when
seeing the 401 should immediately abort the transfer (by closing the
connection) and try again with correct credentials. This can not be
done in the connection oriented auth schemes and the client must instead
transmit the whole request, even when it's known it is now going into
the bitbucket.. may not be such a big deal when on a LAN/Intranet, but
if over a WAN it can be very annoying..
Regards
Henrik
This archive was generated by hypermail 2.2.0 : Mon Jul 07 2008 - 12:00:03 MDT