Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

HTTP/HTTPS Proxy Service/PennNet Authentication System Incompatibility

FAQ: After I authenticate using the PennNet Authentication System (PAS) to access a web resource why I am immediately sent back to the login page?

Problem: Proxied web connections fail to authenticate using the PennNet Authentication System if secure connections are proxied with a different host than non-secure connections or use a random set of hosts to proxy web connections.

Summary: This problem occurs for users who use an ISP that proxies web connections to Penn web servers from a potentially random group of hosts. AOL is one such ISP that proxies secure web connections through one host and non-secure web connections through another. This guarantees that the PAS will fail for user's of this service since when they authenticate they will be coming from a different host than when they go to access the restricted resource.

Conclusion: Users with ISPs that use this type of web proxying cannot authenticate to the PennNet Authentication System protected documents served by HTTP protocol web servers.

Detail: an AOL example
  • An AOL user (A) tries to retrieve a restricted resource from Penn web server (E). This connection is proxied through AOL's non-secure web proxy server (C). Penn web server (E) believes (A) is connecting from server (C).
  • Penn web server (E) checks for a cookie indicating potentially successful PennNet authentication in the AOL user's web browser(A) via (C). If there is no cookie then this means authentication needs to take place before Penn web server (E) can serve the resource to client (A).
  • The AOL user's browser (A) is redirected to the PennNet authentication server (D) but since (D) is a secure server (A) is routed through AOL's secure web proxy server (B) this time.
  • If successful authentication takes place, (D) records that (A) has successfully authenticated from host (B), hands the AOL user's browser (A) via (B) a cookie to identify it to (E) as having successfully authenticated and then redirects the AOL user's browser (A) via (B) back to the originally requested resource on (E).
  • The AOL user's browser (A) connects to Penn web server (E) via AOL non-secure web proxy server (C). Penn Web server (E) sees that the AOL user's browser (A) via (C) now has a cookie. (E) retrieves the identifier in the browser's cookie (A) noting that (A) is connecting from (C) and then retrieves the information associated with the identifier from (D).
  • One of the items of information (E) retrieves from (D) is where (A) originally connected from. This information will read (B). (E) compares this information with where (A) is currently connecting from (C). (B) does not equal (C) so therefore (E) concludes that this is an unsafe connection because an unauthorized user may have stolen the cookie and be trying to use it to gain access to resources they should not be allowed to see.
  • (E) redirects (A) back to (D) to re-authenticate. The whole cycle begins again.
Graphic: (A)-AOL Workstation, (B)-AOL Secure Web Proxy Server, (C)-AOL Non-Secure Web Proxy Server, (D)-Secure Penn Authentication Server, (E)-Non-Secure Penn Web Server


Information Systems and Computing
University of Pennsylvania
Comments & Questions

University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania