Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
4
Replies

Re-authentication after blocked URL not working with session/persistent cookie surrogate. Works fine with IP surrogate

guibarati
Level 4
Level 4

‎03-12-2020 05:35 AM

Hi,

I have a use case where shared computers are distributed through the company floor. These shared computers are "always logged in" with a generic domain account.

We want employees to be able to use the internet on the shared computers by providing their individual domain accounts.

I created a policy to block access to all URLs for the generic domain user. So when an employee opens the browser, they are presented with the block page and the option to "Reauthenticate with a different user".

This works fine if the Identification profile is using IP surrogate, but creates a problem that after that employee leaves the station, their account is still associated with the IP address of that station and a second user could browse with the first user's identity.

The solution was to configure "Session Cookie" surrogate for the shared computers. The problem is that with session or persistent cookie surrogate, when the user clicks on "Reauthenticate with different user", then provides the credentials, the browser still uses the cookie with the first (generic) account to authenticate to the proxy, and the connection gets blocked.

Is there any way to use session cookie with the reauthentication feature?

Labels:
0 Helpful
4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

‎03-12-2020 09:41 AM

Hi,

 

    Try the following:

          - use session cookie and have the user close the browser before reauthentication, see if it works

          - use persistent cookie and configure the "Surrogate Timeout", have the user just reauthenticate, see if it works

 

Regards,

Cristian Matei.

0 Helpful

guibarati
Level 4
Level 4
In response to Cristian Matei

‎03-12-2020 10:04 AM

Thank you for the  reply.

 

When the close the browser with the session cookie, then re-open it, the hole process repeats. They get the "Blocked" page with the button allowing for re-authentication but when new credentials are provided the browser still sends the previously generated credentials cookie.

 

With Persistent cookie the behavior is the same, after they get the block page, the browser saves the authentication cookie with the generic user credentials and keeps using it even when a new user authenticates.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to guibarati

‎03-12-2020 11:55 AM

Hi,

 

   Are you using both IP address and cookie surrogates?

 

Regards,

Cristian Matei.

0 Helpful

guibarati
Level 4
Level 4
In response to Cristian Matei

‎03-12-2020 12:11 PM

Only one at a time.

It looks like the solution is to make sure the traffic is dencrypted for both, the generic user account and the authenticated account. After making this change I'm getting better results.

0 Helpful
Customers Also Viewed These Support Documents