Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > If I use the module on a reverse proxy and the target server asks > for authentication, the cookie is invalidated as soon as the user > tries to authenticate to the target server, because the > username/password pair is replaced.
Then I guess you can't use username/password authentication. > The question is whether including username/password in the public > information really helps to prevent spoofing the cookie, as this > information can easily be replicated in any request. It helps, but it's not a strong "help". > What I need is to push all relevant information to cookies and > "clear" this path. The radius module can be easily modified to > behave in this way. Just I am not sure about security issues > involved. For a reverse proxy, it won't matter too much if you don't make the cookie dpend on username & password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
