Websites that go from HTTP to HTTPS cause authentication problems


Article ID: 167144


Updated On:


ProxySG Software - SGOS


Some websites like Facebook and linkedin start off working via HTTP and then switch to HTTPS. If the authentication method is of type "origin" (ip or cookie), and the first request made via HTTPS is the "POST" command used to login, then authentication will fail.

This seems to be unique to Internet Explorer 8 (IE8)


The RFC confirms that it a browser will not automatically follow a redirect to a POST command for security reasons. That is the reason why transparent authentication fails.

The solution is to add a rule in the local policy file (this is not possible via VPM) to bypass authentication for the POST command


define condition HTTPPost
end condition HTTPPost

     url.domain="" condition=HTTPPost Authenticate(no)
     url.domain="" condition=HTTPPost Authenticate(no)