[Mailman-Developers] Is MM cookie auth 'secure' thru HTTP proxy servers?
Barry A. Warsaw
barry@zope.com
Sat, 27 Apr 2002 12:04:23 -0400
>>>>> "RB" == Richard Barrett <R.Barrett@ftel.co.uk> writes:
RB> Can someone out there sanity check my thinking on a possible
RB> hole in Mailman's cookie based authentication.
RB> The scenario I'm concerned with is when Mailman's web GUI is
RB> being accessed by a browser via a caching HTTP proxy server
RB> such as Squid, hardly an uncommon situation these days.
RB> If my understanding is correct, then Squid (legitimately and
RB> like probably any other HTTP proxy) has no qualms about
RB> caching a page merely because of the existence of Cookies or
RB> Set-Cookie headers in the response or request. This is
RB> justified by RFC 2616. The Squid FAQ says:
Now that I'm back online, I doubled checked the RFC. Section 9.5 POST says:
Responses to this method are not cacheable, unless the response
includes appropriate Cache-Control or Expires header
fields. However, the 303 (See Other) response can be used to direct
the user agent to retrieve a cacheable resource.
I think we're safe and probably don't need to change anything. All
Mailman interactions are done through POSTs, except for public
archiver hits, and those /can/ be cached.
So unless I'm off-base, I think we're fine as-is.
-Barry