On Tue, 10 Jun 1997, Colin Campbell wrote:
> Would someone knowledgeable (or otherwise :-) care to enlighten
> me (and possibly others) on how the PIX authenticates users of
> the HTTP protocol.
>
> My understanding so far ....
> [...]
Your understanding is correct! And this reasoning holds for other
firewalls. As a matter of fact, this is inherent to HTTP which doesn't
have a "session" concept (as FTP does, for instance).
> [...]
> This last point tends to indicate that the browser sends nothing
> to the PIX in the normal HTTP stream and that the authentication is
> done by a separate application (Java?) on the user's machine. This
> then brings problmes with people running Lynx (there are some still)
> or hosts not supported by PIX's "authentication client".
This authentication schema has nothing to do with separate applications.
It is embedded in the browsers.
The shortcomings you describe, and others (e.g. many users sitting behind
the same proxy-server), make this kind of authentication virtually
useless.
You could use a form in HTTPS to gather authentication info from the
user, generate a cookie with a "session signature" (maybe a big random
number and a time stamp, cryptographed), and ask this cookie back for the
next accesses. (Does someone have a better schema?)
Cheers All,
Bill.
--
Bill Coutinho mailto:bill @
dextra .
com .
br
Dextra Internet Solutions http://www.dextra.com.br/
Campinas, SP - Brazil voice:+55-19-251-3644
Follow-Ups:
References:
|
|
