[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: Greetings / cookie auth for transparent mode
From:       Henrik Nordstrom <hno () squid-cache ! org>
Date:       2005-06-24 19:59:26
Message-ID: Pine.LNX.4.61.0506242145140.6397 () localhost ! localdomain
[Download RAW message or body]

On Thu, 23 Jun 2005, Kinkie wrote:

> How do you plan to get around the fact that cookies are tied to at most
> the second-level domain of the URL the user is visiting?

What you do is that to define one server name as the "login server". When 
seeing a request without the needed cookie you redirect to the login 
server including the requested URL as argument, and the login server 
responds by returing a set of cookies suitable for both itself and the 
requested domain. Already done that in reverse-proxy setups where no 
modification to Squid is required at all (just some acl helpers to verify 
the used cookies, and a suitable deny_info directive).

But as Kinkie said, this is not a wonderful thing to do for intercepting 
proxies. You both risk flooding the client with cookies, and also the 
needed redirection itn't always safe. Most notably you can only redirect 
GET requests in this manner, and if the first request for a new domain is 
POST or something else you get into trouble..

Another thing to consider for doing this in a intercepting Squid proxy is 
that you need to extend Squid to not forward your login cookie. You do not 
want this information to leak out on the Internet as it is both a security 
and a privacy threat. You must also be careful in selecting the name of 
your cookie to not collide with any cookies the accessed Internet servers 
may use.

Regards
Henrik
[prev in list] [next in list] [prev in thread] [next in thread]