hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ortwin Glück <ortwin.glu...@nose.ch>
Subject Re: Issue With HttpClient Session Handling
Date Wed, 08 Dec 2004 13:29:04 GMT

Roland Weber wrote:
> In general, you should not try to set your application in between a
> browser and a target server just for the login. Either you route all
> requests through your application (which means rewriting all URLs
> in response documents), or you should figure out a completely
> different interaction between the browser, your application, and the
> target server (hotmail in the example).

Please keep in mind: HTTP can NOT (no, never ever) be proxied transparently.

HTTP defines a proxy protocol for a reason. A HTTP client must be aware 
of the fact that a proxy is beeing used and issue HTTP methods 
accordingly. This is the case when you enter a proxy host in your web 
browser or provide a proxy host in HttpClient. Especially in a 
web-browsing cenario it is essential, that the client knows the proxy. 
Otherwise it can not deal with relative URLs correctly. With the HTTP 
proxy protocol, HTTPS can be used and client identity verification is 

When a client does not know that a HTTP request is proxied, successful 
communication is only possible with some limitations. It is the same as 
a man-in-the-middle attack. No HTTPS is possible and neither server nor 
client identity verification will work. In a web-browsing cenario the 
proxy must rewrite the content(!) of the transferred content, such that 
the client is fooled correctly. A session must be established between 
server and proxy. A different session must be established between client 
and proxy. The proxy must then handle the passing of header information. 
It is a very complex and error-prone task. I generally discourage such 
stupid abuse of the HTTP protocol.

Ortwin Glück

To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org

View raw message