-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amos Jeffries wrote: > > > > If we speak about Kerberos authentication. On the very first > > request, the browser receives a "407 Proxy Authentication Required" > > reply and learns that it is expected to provide credentials. For a > > certain amount of time, the browser knows that it should send the > > credentials with every request without waiting for an 407 reply. > > > > How long is this amount of time? Is it like forever? Is there ever > > a limit after which the browser will try again to send a request > > without credentials? Maybe after a browser restart or what? > > > > Negotiate/Kerberos (and NTLM) do not authenticate the request. They > abuse HTTP to authenticate the TCP connection underneath HTTP. So the > credentials must be re-used for the entire lifetime of that TCP > connection. Changing credentials means tearing down that whole TCP > connection. As far as I understood you, there would be a "407 Proxy Authentication Required" and "Proxy-Authorization: Negotiate" pair in each TCP connection between browser and proxy. If the connection is used for several requests, only the first HTTP request in the connection would contain authentication info. But each new TCP connection is re-authenticated by HTTP. Is this correct? - -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUaXj2AAoJEA2k8lmbXsY05EgH/ji2X1LaocbTZ+mnL1A/ejBY 8sToM1NwBvzmk+lO1Ezrq91DuZOKTUSGiCv/973Dg0aNrCRpQZ1XzC+jsJ6F/sjo eaBdmF5X74IG7cVgozfZJFXPjA1Ld0h1boTCsqibnoz85IUB4cJwU1rVvVsFzLEZ O8DcpPf7KDbFdFJLH6Niu7rZ0vLoNi4hqNRSAmmdBXb7ck8wEM7o0G/YC3IwzhLW c+8D5rfGVYxAwYN0H7hIo/VGMsD7gTZVAYjWhWEORczDyEFtnT7NprDa3RMVEQXX LwQfaY7g0KUqpoCKqYIqCyXrmMh26nK84z2k/UCfbUUYttLD/ae7NPnyOI36DhE= =XBm/ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
