Is it permissible for an intermediate proxy to add cookies during proxy authentication?

http-headers http proxy cookie

HTTP cookies are a hot mess. There is no real standard; the RFC, for what it's worth, merely attempts to document what actual user agents are doing.

In any case, the RFC you probably want to read is RFC 7235, which specifies that proxies are supposed to send a Proxy-Authenticate header with the 407 status to request authentication information, and user agents receiving this are supposed to retry the request with a Proxy-Authorization header containing the authentication information for the proxy.

A number of challenge/response methods could be used to supply this information; the most widely used being "basic" (RFC 7617) as pretty much everything that speaks HTTP implements it.

The IANA maintains a registry of known HTTP authentication schemes. As a general rule they use the HTTP headers named previously, or they are noted to be noncompliant. None use cookies for authentication.

Whether it's allowed for a proxy to add or change cookies, I can't say. The RFCs really don't seem to be very clear on this point. It's certainly unexpected behavior, especially for authentication. And BlueCoat has a long history of being mediocre in quality...

Related

What is the difference between base URL and mirrorlist in Yum?
How can you link nodes in a redis cluster via hostname instead of ip?
iptables-restore sometimes fails on reboot
How to kill Windows service process stuck at starting?
How to make rsync of ~2M files from remote server performant for regular backups
Hyper-V connect to local computer throws an error - virtual machine management service
Nginx Ingress 504 timeout - EKS with ELB connected to nginx ingress
Why does Amazon Linux 2 have older version of wget vs. Amazon Linux 1?
"docker-compose up" as root user or non-root user?
What is the current status of pNFS on Ubuntu?
How can I connect to Postgres running on the Windows host from inside WSL2?
Skype-SIP gateway