Using Cookie-based Authentication with a Forward Proxy
Novell Cool Solutions: Feature
Digg This -
Posted: 24 May 2002
Current version: BorderManager 3.7
BorderManager can associate a unique cookie with each user so that requests can be tracked. Here is how it works.
- A user makes a GET HTTP request via the browser to the BorderManager forward proxy.
- BorderManager authenticates the user using SSL authentication.
- If the authentication is successful, it generates a cookie, stores it in an internal table, and also issues a set cookie command to the browser for both the proxy domain and the target domain using triple redirects. This ensures that the browser sends the cookie in the HTTP header in all subsequent requests.
- Because BorderManager expects a cookie in every request from an authenticated user, the product extracts the cookie from the received request and checks for an authentication entry against that cookie. If an authentication entry is found, the user is considered authenticated and the request is processed. If the cookie header is missing, BorderManager goes through the entire authentication process again and creates a new cookie.
BorderManager sets "session cookies" on the browsers. These cookies don't live beyond the particular session of the browser. When the browser is unloaded and reloaded, the user must re-authenticate to the proxy. Previously, the only user identity information present in an HTTP request was the source IP address. However, using cookie-based authentication, each user can have a unique session identity that is established with each login. Even if many users share the same IP address (for example, when going through a Network Address Translator (NAT), proxy, circuit- level gateway, and so on), the cookie identifies each user uniquely.
Cookie-based authentication can be turned on or off by
using the following flag:
in the SYS:ETC\PROXY.CFG file. If the flag is turned off or if there is not an entry for BM_Forward_Cookie in the PROXY.CFG file, authentication reverts back to IP-based authentication
The following entry is required in the SYS:ETC\PROXY.CFG file to enable cookie-based authentication:
BM_Forward_Cookie=1 ; cookie based authentication is enabled. 1= enabled, 0= disabled (default).
Cookie-Based Authentication Gotchas
Cookie-based Authentication does not work with SSL. Browsing to HTTP sites using SSL does not work properly when using cookie-based authentication (forward proxy or reverse proxy). Web browsers must be enabled to accept cookies.
The BorderManager server may abend if cookie-based authentication is enabled and reverse proxy and client requests are forwarded to HTTP sites using SSL.
To disable authentication for reverse proxy on your BorderManager server from NetWare Administrator, do the following:
- Click BorderManager Setup > Acceleration > Details.
- Double-click an entry in the HTTP Accelerator List.
- Uncheck Enable Authentication For This Particular Accelerator.
You can check to ensure that authentication is disabled for forward proxy by the checking the value set for BM_Forward_Cookie in the [BM Cookie] section of the SYS:ETC\PROXY\PROXY.CFG file.
Single Sign On (CLNTRUST.EXE) does not work correctly when cookie-based authentication is enabled.
The transparent proxy does not work correctly when forward cookie-based authentication is enabled.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com