RE: Small question about the caching of password protected pages

From: Nottingham, Mark (Australia) <mark_nottingham@dont-contact.us>
Date: Thu, 11 Feb 1999 18:46:14 -0500

Ahh, now it gets intersting.

There are mechanisms to assure the currency of normal HTTP authorization
fields (Cache-Control: public, must-revalidate), but not in proxy chains.
Unless you force closest proxy to revalidate every request with it's parent,
there's nothing in the protocol to stop a fresh object from being served
without Proxy-Authorization.

I must stress that this is ONLY for fresh objects; revalidation will force a
Proxy-Authenticate response header to be issued, and passed to the client.

This stuff is fairly implementation-specific, and I haven't done much
testing of it (with squid). I have talked to a lot of the commercial vendors
about it, and everyone has a slightly different answer about how they want
to handle this situation.

Anybody else?

> -----Original Message-----
> From: Williams Jon [mailto:WilliamsJon@JDCORP.deere.com]
> Sent: Friday, February 12, 1999 12:22 AM
> To: squid-users@ircache.net
> Subject: RE: Small question about the caching of password protected
> pages
>
>
> How about Proxy Authentication? For example, if I have three proxies
> chained together and the middle one is doing authentication,
> will the proxy
> closest to the user serve up documents in its cache to an
> unauthenticated
> user, or will it not cache anything and pass all requests up
> to the middle?
>
> Jon
>
> > -----Original Message-----
> > From: Nottingham, Mark (Australia)
> > [SMTP:mark_nottingham@exchange.au.ml.com]
> > Sent: Wednesday, February 10, 1999 7:15 PM
> > To: 'Simon Austin'; squid-users@ircache.net
> > Subject: RE: Small question about the caching of
> password protected
> > pages
> >
> > I've done extensive testing with recent versions of Squid,
> and can say
> > authoritatively that they do not cache pages with HTTP
> authentication.
> >
> > If you can reproduce the behavior in a 'clean' environment
> (you see the
> > activity, you can confirm that the browser hasn't
> previously requested the
> > objects in the same session, you can confirm that the
> objects don't have
> > the
> > headers mentioned), you might be on to something; it would
> be interesting
> > to
> > find out what version of Squid were being used, as well as
> if there were
> > any
> > other proxies in the path (the Squid might be using another
> proxy as a
> > parent).
> >
> > Otherwise, I'd tend to think it was just a
> misperception/false report by
> > the
> > user; they aren't generally reliable, doubly so with salespeople ;-)
> >
> > If you can give me the URL of the site and a test user/pass
> pair, I'll be
> > happy to test it with a few different caches...
> >
>
Received on Thu Feb 11 1999 - 16:38:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:32 MST