On Wed, May 26, 2004 at 11:16:45AM +1000, [EMAIL PROTECTED] wrote: > Hi all, > > Just wondering if any one has thought about this question before and found the > answer. > Authenticating proxy servers do they pass-on user information and credentials? > I mean after a windows user has sent their credentials to a proxy server beit > through a pop-up dialogue box or just through the windows client. Does the > credientials get stripped out or do they flow on throught the ether?
They get stripped, unless the proxy is downstream of another authenticating proxy, in which case a set of Proxy-Auth credentials gets sent according to the configuration of the sending proxy. Rob Collins could tell you a lot more about that sort of thing, though. There's actually two different headers for authentication - Proxy-Authentication: and Authentication:. Obviously the first is used by proxies (and stripped out of the on-sent request) while the other is used by the actual web server, and is typically not mangled at all by the intermediate proxies. > (This is a question for all forms of proxy servers from MS, squid, Novell, > suns etc) There may be bugs or misimplementations in any proxy software which results in proxy auth credentials being sent, but it would almost certainly be a major security bug for the vendor involved. Read up on the HTTP 1.1 RFCs if you want to know all the gory details of how HTTP proxy authentication works. - Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
