---------- Forwarded message ---------- Date: Fri, 27 May 2005 10:59:41 +1000 From: Joshua Goodall <[EMAIL PROTECTED]> To: [email protected] Subject: [squid-users] Bugs in IE digest proxy auth Hi folks, I've observed three bugs in IE6's digest proxy authentication implemention. Is anyone able to confirm that it's Not Just Me, and whether any good workarounds are already out there? 1. Double-quote-marks in URLs. IE sends a digest-uri-value that's improperly escaped, as in (when visiting http://localhost/test.html"foo): Digest username="User Name", realm="Login", qop="auth", algorithm="MD5", uri="/test.html"foo", nonce="q3... vs Firefox which sends: Digest username="User Name", realm="Login", nonce="42yWQuDPGw/gebJ8", uri="/test.html%22foo", response="666... I've worked around this by means of a hack in authenticateDigestDecodeAuth. 2. Never reuses a nonce - always sends a request, gets a 407 challenge with a new nonce value, then reissues the request with the correct Proxy-Authorization header; this doubles the number of actual HTTP requests; is there a workaround? 3. IE gets confused when a website uses a 401 authentication challenge. In this case, it prompts for and sends the Authorization: header, but then repeatedly re-prompts the user for their proxy credentials. I've worked around this by inventing the following access list: acl msie-win-browser browser MSIE.*Windows acl basic-auth auth_regex Basic auth_param digest access deny msie-win-browser basic-auth auth_param digest access allow all Yes, I had to invent "auth_regex" and "auth_param digest access". This ACL effectively downgrades the user to using basic proxy auth if using basic www auth. I'd especially like a solution for bug 3, because the workaround is ugly, insecure and expensive. I have a case open with Microsoft Partner Support right now. Oddly enough, IE5 on the Mac doesn't have any of these symptoms. Any takers? -- Joshua Goodall "as modern as tomorrow afternoon" [EMAIL PROTECTED] - FW109
