[squid-users] Basic authentication, Connection: keep-alive and IIS

From: <[email protected]>
Date: Wed, 04 Jul 2001 17:25:56 +1000 (EST)

I have the following problem: a user connects (via squid)
to a site that requires authentication. The site returns a
401, the client sends an "Authorization: Basic" and specifies
"Connection: Keep-Alive". The site delivers the page, and squid
keeps the connection open. Now a different client connects
before pconn_timeout expires, requesting the same page without
"Authorization:". squid issues the request over the same fd,
and the server delivers the page.

I'm trying to make the case that the server is at fault for
not checking the authorization on each request (not connection).
I believe that Henrik feels the same
(http://www.squid-cache.org/mail-archive/squid-dev/200010/0138.html)
but I can't identify the passage that supports this POV. The
closest I can get is in RFC2617 sec 2:

                                A client MAY preemptively send the
   corresponding Authorization header with requests for resources in
   that space without receipt of another challenge from the server

This seems (to me) to imply that the server will check every request
for authorization, why else would the header be sent preemptively?
However, I can't find this stated anywhere (ie a server MUST check
every *request* for protected URIs for authorization).

Anybody got any pointers?

Thanks,
Rick.

-- 
Rick Lyons
WebCentral
Received on Wed Jul 04 2001 - 01:26:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:00 MST