[plug] multiple web clients accessing a single site via proxy

Adrian Chadd adrian at creative.net.au
Tue Jan 23 18:59:06 WST 2007

On Tue, Jan 23, 2007, Sol Hanna wrote:
> hi all,
> This isn't strictly a Linux question, but after googling for info on network 
> proxies, I've drawn a blank and am not sure where to turn. The problem is 
> next week I'm back at work (as a high school teacher) and I want to take 
> advantage of some web 2.0 kinda sites (eg: wordpress) to make my classes my 
> engaging and relevant. But I had a bad experience in a yr8 media class last 
> year when I was trying to get the class to sign up for some free web space 
> (on geocities if I remember right) to post some static pages they'd designed.
> They all applied for registration, but when they tried to log on, all hell 
> broke loose. Some students found that they were logged in under the user 
> names of other students. Many students found themselves blocked by the site. 
> I deduced that this was because there were 22 students trying to log onto the 
> same site at the same time, and cookies were getting routed to the wrong 
> browsers. 
> The school runs a network proxy through which all web traffic runs. I know 
> enough about proxies to know that all traffic emanating from behind the proxy 
> appears to the web servers as if coming from a single host. So matching the 
> cookie authenticated requests from each browser  is a very difficult task for 
> the web server if the browser requests are occurring near-to simultaneously.
> Are my conclusions about the problem correct? And if so, is there anything I 
> can do if I want a class of students to register and use a site during a 
> session without these nasty consequences?


(I've got my Squid web proxy/cache hat on here.)

This is one of those "annoying" problems with proxies in the past. Web sites
are pretty notorious for being proxy/cache ignorant!

Its not exactly as you suspect however. Some sites in the past have naively
assumed IP == session but this has thankfully gone away now that lots-of-people-
hiding-behind-one-IP-via-NAT has become all the vogue. So nowdays its down
to bad caching information in their HTTP replies (sometimes happens!) and
sometimes badly behaving persistent connections.

The persistent connection thing is slightly annoying. Basically, a proxy would
hold open a number of connections to a server, and a number of clients could
try accessing that one server. THe proxy would just hand the client one of the
idle (persistent) connections. What this means, annoyingly, is some sites
which authenticated persistent connections would actually give data
authenticated to user X to user Y.

The latest Squid release (Squid-2.6) fixes this behaviour. :)

The only way to identify the problem is to get a packet trace of the
whole exchange so your proxy vendor can identify and repair the problem.
Sometimes, in extreme cases, a "please don't cache at all kthx" rule
is put into the proxy. But this happens less and less these days.

<selfless plug>
(And if your vendor is Squid, or you want to move to a proxy/cache vendor
who'll participate in open source development, let me know. :)
<selfless plug />


More information about the plug mailing list