Hi,
Running Wingate 6.2.2 on Server 2K3. User at a remote location goes to a website to update some profile information and if they submit the form after roughly 30 seconds or so, they are prompted for re-authentication to the proxy. Remote site uses one cookie (PHPSESSID) and timeout on the proxy is set at several minutes due to remote connections periodically experiencing connection issues. As long as they submit form changes within about 30 seconds, everything is ok. Anyone run into this before? Many thanks.
Armando
Reauthentication on Form Submission
Moderator: Qbik Staff
7 posts
• Page 1 of 1
Reauthentication on Form Submission
by abrambilla » Oct 31 07 4:14 am
- abrambilla
- Posts: 4
- Joined: Oct 31 07 4:09 am
by adrien » Oct 31 07 10:41 pm
Hi
Internet Explorer has some strange behaviour when using a proxy that uses NTLM, whenever it has to submit a form or upload a file (say to webmail) using the POST command, it tries first the POST command without the form data, and a Content-Length of 0. It presumably does this because it expects to be challenged for authentication, however if the client is already authenticated, then WinGate won't challenge it again, and so the 0 length POST command is actually completed, becoming an error.
It doesn't do this if it sends the POST command over an existing connection (since it believes it is still authenticated) - this most likely accounts for the delay issue.
We view this as a bug in Internet Explorer.
We have a workaround in testing in WinGate 7, but as far as I know, there's no decent way to get WinGate 6.x to work with it, and it's at best a hack, since it's not necessarily invalid to send a POST command with no content.
Are you using NTLM at the WinGate server, with clients configured to use proxy settings?
Internet Explorer has some strange behaviour when using a proxy that uses NTLM, whenever it has to submit a form or upload a file (say to webmail) using the POST command, it tries first the POST command without the form data, and a Content-Length of 0. It presumably does this because it expects to be challenged for authentication, however if the client is already authenticated, then WinGate won't challenge it again, and so the 0 length POST command is actually completed, becoming an error.
It doesn't do this if it sends the POST command over an existing connection (since it believes it is still authenticated) - this most likely accounts for the delay issue.
We view this as a bug in Internet Explorer.
We have a workaround in testing in WinGate 7, but as far as I know, there's no decent way to get WinGate 6.x to work with it, and it's at best a hack, since it's not necessarily invalid to send a POST command with no content.
Are you using NTLM at the WinGate server, with clients configured to use proxy settings?
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by abrambilla » Nov 01 07 3:00 am
Hi and thanks for the response.
Yes, we are using NTLM at the server, clients are configured to use proxy settings. This is enforced via GPO. We are not caching on the proxy.
I see what you're saying here and I thought this may be an issue in IE as well, for I am only periodically able to reproduce it on my own machine, even though I'm located in the datacentre.
Yes, we are using NTLM at the server, clients are configured to use proxy settings. This is enforced via GPO. We are not caching on the proxy.
I see what you're saying here and I thought this may be an issue in IE as well, for I am only periodically able to reproduce it on my own machine, even though I'm located in the datacentre.
- abrambilla
- Posts: 4
- Joined: Oct 31 07 4:09 am
by adrien » Nov 01 07 8:43 am
actually there may be a work-around if you have an enterprise licence.
The reason IE tries first with no POST data, is because it believes the proxy will challenge it for authentication, which WinGate would do if it didn't already know about the client.
The reason WinGate knows about the client is because of a previous connection from that IP address that authenticated - it inherited the credentials from a previous session.
However, there is a way to force WinGate to not inherit credentials, and that's to mark the IP address as a multi-user machine. In that case, each connection from that machine gets challenged for auth.
The reason IE tries first with no POST data, is because it believes the proxy will challenge it for authentication, which WinGate would do if it didn't already know about the client.
The reason WinGate knows about the client is because of a previous connection from that IP address that authenticated - it inherited the credentials from a previous session.
However, there is a way to force WinGate to not inherit credentials, and that's to mark the IP address as a multi-user machine. In that case, each connection from that machine gets challenged for auth.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by abrambilla » Nov 01 07 8:52 am
We do have an enterprise license.
When you refer to marking the IP as a multi-user machine, are you are referring to the client? If so that is an issue because that machine is served via DHCP and is not the only one that needs to be considered.
Thank you again for your assistance and insight.
When you refer to marking the IP as a multi-user machine, are you are referring to the client? If so that is an issue because that machine is served via DHCP and is not the only one that needs to be considered.
Thank you again for your assistance and insight.
- abrambilla
- Posts: 4
- Joined: Oct 31 07 4:09 am
by abrambilla » Nov 01 07 9:23 am
Funny you should mention Firefox as that is the browser *I* use but since I am in the IT department, I have the choice. Our users do not have that option as we have not implemented Firefox. Yet.
- abrambilla
- Posts: 4
- Joined: Oct 31 07 4:09 am
7 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 10 guests