Websites that go from HTTP to HTTPS cause authentication problems

book

Article ID: 167144

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Some websites like Facebook and linkedin start off working via HTTP and then switch to HTTPS. If the authentication method is of type "origin" (ip or cookie), and the first request made via HTTPS is the "POST" command used to login, then authentication will fail.

This seems to be unique to Internet Explorer 8 (IE8)

Resolution

The RFC confirms that it a browser will not automatically follow a redirect to a POST command for security reasons. That is the reason why transparent authentication fails.

The solution is to add a rule in the local policy file (this is not possible via VPM) to bypass authentication for the POST command

 

define condition HTTPPost
     http.method=(POST)
end condition HTTPPost


<Proxy>
     url.domain="facebook.com" condition=HTTPPost Authenticate(no)
     url.domain="linkedin.com" condition=HTTPPost Authenticate(no)