[squid-users] Removing cache credentials

Victor Sudakov sudakov at sibptus.tomsk.ru
Mon Nov 17 04:26:30 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amos Jeffries wrote:
> > 
> > If we speak about Kerberos authentication. On the very first
> > request, the browser receives a "407 Proxy Authentication Required"
> > reply and learns that it is expected to provide credentials. For a
> > certain amount of time, the browser knows that it should send the
> > credentials with every request without waiting for an 407 reply.
> > 
> > How long is this amount of time? Is it like forever?  Is there ever
> > a limit after which the browser will try again to send a request
> > without credentials? Maybe after a browser restart or what?
> > 
> 
> Negotiate/Kerberos (and NTLM) do not authenticate the request. They
> abuse HTTP to authenticate the TCP connection underneath HTTP. So the
> credentials must be re-used for the entire lifetime of that TCP
> connection. Changing credentials means tearing down that whole TCP
> connection.

As far as I understood you, there would be a "407 Proxy Authentication
Required" and "Proxy-Authorization: Negotiate" pair in each TCP
connection between browser and proxy.

If the connection is used for several requests, only the first HTTP
request in the connection would contain authentication info.  But each
new TCP connection is re-authenticated by HTTP. Is this correct?

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUaXj2AAoJEA2k8lmbXsY05EgH/ji2X1LaocbTZ+mnL1A/ejBY
8sToM1NwBvzmk+lO1Ezrq91DuZOKTUSGiCv/973Dg0aNrCRpQZ1XzC+jsJ6F/sjo
eaBdmF5X74IG7cVgozfZJFXPjA1Ld0h1boTCsqibnoz85IUB4cJwU1rVvVsFzLEZ
O8DcpPf7KDbFdFJLH6Niu7rZ0vLoNi4hqNRSAmmdBXb7ck8wEM7o0G/YC3IwzhLW
c+8D5rfGVYxAwYN0H7hIo/VGMsD7gTZVAYjWhWEORczDyEFtnT7NprDa3RMVEQXX
LwQfaY7g0KUqpoCKqYIqCyXrmMh26nK84z2k/UCfbUUYttLD/ae7NPnyOI36DhE=
=XBm/
-----END PGP SIGNATURE-----


More information about the squid-users mailing list