-----Original Message----- From: adrian.wells [mailto:[EMAIL PROTECTED] Sent: Thursday, September 23, 2004 11:01 AM To: Martyn Bright; [EMAIL PROTECTED] Subject: Re: [squid-users] Squid and Apache Authentication
Just an idea, Would it be possible to do this by creating a random name for the login/PW form controls using say PHP? therefore (as I understand it) IE et al would not be able to offer an entry to an unknown form control. I assume it sees "login", recognises the typed name and looks up the PW from it's database. Of course I may be way wrong! :-) Maybe a random page title would work in just the same way? Kind regards Adrian Wells ~~~~~~~~~~~~ ~~~~~~~~~~~~ Mozilla does this when I hit pages with forms too. It asks me if I'd like to save the field values for the page that I'm on. This isn't controlled at a proxy or the webserver, it is a browser setting that I can turn on or off. The basic auth pop up box, that has a built in checkbox/statement that reads "remember my password". A form based sign in can get around that, but then you have the above issue where the browser may still offer to save the username/password for that particular page. Chris ----- Original Message ----- From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Martyn Bright" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, September 23, 2004 11:56 AM Subject: RE: [squid-users] Squid and Apache Authentication > On Thu, 23 Sep 2004, Martyn Bright wrote: > > > A specific external site (that I do not control) the users need is https and > > not available via the remote proxy - squid goes to it directly. > > > > I need the users to authorize before they connect to this specific site. > > Unfortunately with basic auth, IE helps(!!!) by offering to remember the > > users password details. I cannot allow this as the clients are accessible > > by the public and must not be able to get to the secure site without having > > to type in a password. I know I can disable this IE helper functionality in > > windows, but that will stop it for all sites which is not what I want. > > > > I figured that if I pass authentication control to a web page of my own, I > > should be able to stop IE from interfering. > > Not really. If IE understands this page contains a password form it still > allows you to save the password... > > And since the site is using https the proxy has no means of modifying the > requests or add/delete any information while forwarding the request. All > the proxy sees is that the browser wants to connect and do something at > the requested side, nothing more. > > If the site was using http then Squid would be able to use other means of > providing the authentication credentials, but with https sites the > encryption considerably limits the man-in-the-middle capabilities. > > Regards > Henrik >