On Friday 12 September 2003 14.33, Marco Stolpe wrote:
[...]What I mean is: based on which credentials (per request) does the proxy decide which traffic is allowed to pass through after it has successfully authenticated a user?
The proxy always requires valid authentication to be attached to each and every request. If there is no valid login details attached to the request to the proxy then the request will be rejected. It is the browser or OS who maintains the browsing session and hides most of this logics from the user (to OS/browser only asks for login on first access etc).
Aaaah, thank you very much for your help. After reading so much about creating customized login pages for web applications and keeping session-ids by the use of cookies / rewritten URLs, I had entirely forgotten that with basic authentication the session is managed by the browser. That was exactly the information I needed to get a better impression of the type of security one could achieve with a proxy.
Well, it's clear to me that absolute security is not possible. But regarding the background information you have given to me, I hope with a proxy one could at least reduce the probability of an incident, especially in comparison to the firewall solution I presented here. Moreover, a proxy would be more user friendly in this case.
Thanks again,
Marco
