=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2014-01-12 17:51:12 +0000
+++ src/cf.data.pre	2014-01-27 10:06:21 +0000
@@ -313,40 +313,50 @@
 	Ports flagged 'transparent', 'intercept', or 'tproxy' have
 	authentication disabled.
 
 	=== Parameters common to all schemes. ===
 
 	"program" cmdline
 	Specifies the command for the external authenticator.  Such a program
 	runs a loop that, on every iteration, reads a request line from
 	the standard and responds with a scheme-specific answer. The loop
 	stops when all input is exchausted (EOF). See scheme-specific
 	"program" descriptions below for details.
 
 	"key_extras" format
 	Specifies a string to be append to request line format for the
 	authentication helper. "Quoted" format values may contain spaces and
 	logformat %macros. In theory, any logformat %macro can be used.
 	In practice, a %macro expands as a dash (-) if the helper request is
 	sent before the required macro information is available to Squid.
 	By default, Squid uses request formats provided in scheme-specific
 	examples below (search for %credentials).
+	The expanded key_extras value is added to the Squid credentials
+	cache and, hence, will affect authentication. It can be used to
+	autenticate different users with dentical user names (e.g., when user
+	authentication depends on http_port).
+	Avoid adding frequently changing information to key_extras. For
+	example, if you add user source IP, and it changes frequently
+	in your environment, then max_user_ip ACL is going to treat every
+	user+IP combination as a unique "user", breaking the ACL and
+	wasting a lot of memory on those user records. It will also force
+	users to authenticate from scratch whenever their IP changes.
 
 	=== Parameters for the basic scheme follow. ===
 
 	"program" cmdline
 	Specify the command for the external authenticator.  Such a program
 	reads a request_format line ("username password" by default) and
 	replies with one of three results:
 
 	  OK
 		the user exists.
 
 	  ERR
 		the user does not exist.
 
 	  BH
 		An internal error occurred in the helper, preventing
 		a result being identified.
 
 	"ERR" and "BH" results may optionally be followed by message="..."
 	containing a description available as %m in the returned error page.