[Mailman-Developers] Is MM cookie auth 'secure' thru HTTP proxy servers?
Richard Barrett
R.Barrett@ftel.co.uk
Mon, 22 Apr 2002 17:30:14 +0100
Can someone out there sanity check my thinking on a possible hole in
Mailman's cookie based authentication.
The scenario I'm concerned with is when Mailman's web GUI is being accessed
by a browser via a caching HTTP proxy server such as Squid, hardly an
uncommon situation these days.
If my understanding is correct, then Squid (legitimately and like probably
any other HTTP proxy) has no qualms about caching a page merely because of
the existence of Cookies or Set-Cookie headers in the response or request.
This is justified by RFC 2616. The Squid FAQ says:
<quote>
The presence of Cookies headers in requests does not affect whether or not
an HTTP reply can be cached. Similarly, the presence of Set-Cookie headers
in replies does not affect whether the reply can be cached.
</quote>
It appears to me that in the absence of a Cache-Control header with a value
of private, no-cache or no-store a caching proxy server is free to cache
the response to an HTTP request purportedly protected by MM's cookie based
authentication AND to again serve that response to any other requesting
client WITHOUT consulting the server delivering the Mailman web GUI.
I am hoping one of you kind readers will tell me I have missed the obvious
in my examination of the problem and the MM source, or that the scenario
above is invalid for any reason.
In the meantime I'm working up a patch to block this possible security hole
by adding Cache-Control headers in the HHTP responses generated by MM's web GUI.