> Whatever is used will need to know who is authenticated and what they are > allowed to see. If one of the two key properties are not known then any > authorization cannot take place. > > If the clients are behaving and adding Referer headers (completely > optional) you may get away with an ACL that checks the referrer is on teh > accepted sites list. However, this will permit one link out of the secured > area to be taken by anyone, AND a bad client can easily forge Referer: to > get around all your protections. > > With a lot of luck and some coding you could create something that > processes pages as they come in and lets certain URL (ie img/object > href's) through, but either way its a bigger risk than non-customer > annoyance. >
Thanks Amos, The most annoying thing for non-authenticated users is that the authentication pop-up keeps coming, even if he presses escape, on the new request the pop-up comes back. I was thinking of a setting in squid where it remembers for a given period that the ip is not authenticated, without asking again and again.
