Re: [squid-users] squid set cookie? from Amos Jeffries on 2010-04-26 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 27 Apr 2010 01:09:32 +0000

On Mon, 26 Apr 2010 10:45:26 -0700, kiran kumar <cnvkiran_at_gmail.com>
wrote:
> Is it possible for Squid to Set Cookie in response messages upon
> SUCCESS in NTLM authentication phase. By setting the cookie, we like
> to avoid authentication in next Client request to same domain even on
> a different TCP connection. This is what we wish to achieve.

lets go back to security school...

>
> 1.Configure external_acl "is_auth_needed" which takes COOKIE,URL and
> Source-IP as parameters.
>
> "http_access deny is_auth_needed !proxy_auth".

... create a helper which takes a URL, TCP link and hash key...

>
> 2.When a Client sends a new HTTP request,The external_acl program
> looks into its cache to see if a valid entry for combination of
> COOKIE+Source_Ip exists. If yes, it returns "ERR" and hence NTLm
> authentication skipped.

... when a client sends a new HTTP request, the helper checks for
credentials.

* requests some be sent if there are none
* if credentials contain a "hash key", checks it is known and returns
ERR/OK

>
> 3.If no entry is found, it returns OK and NTLM phase is triggered.

...
* if credentials contain no "hash key", checks the credentials

>
> 4.Upon successful authentication, the ntlm_auth helper program returns
> OK. If Squid provides for setting "Cookie" value now, then we can
> avoid authentication for subsequent requests.

... on successful credentials validation NTLM generates a "hash key" and
sends a HTTP reply back to set the "hash key" for use by the client in
following requests
down that TCP link ...

>
> I have seen few related mail-exchanges on setting of Cookies, but
> looking at squid.conf could not figure out how to do this. Any help
> and suggestion is highly appreciated.
>

As you can see. Replacing the term "hash key" with "cookie" and you have
zero gain and maybe a loss of security since cookies are non-encrypted.
Whereas a hash key is as secure as the algorithm used to generate it. Sadly
NTLM uses an easy to break hash algorithm. Kerberos is the version with
more secure hash created.

One guess what happens when either the "hash key" (aka "cookie") is
missing or expired?

Take a good think about why you need this. If you explain the real problem
causing that need we probably have a better way for you to solve the
problem.

Amos
Received on Tue Apr 27 2010 - 01:09:54 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 27 2010 - 12:00:05 MDT