Re: authentication_ttl

From: Bert Driehuis <bert_driehuis@dont-contact.us>
Date: Wed, 01 Mar 2000 12:22:36 +0100

Jim Chivas wrote:

> I am running Version 2.3.STABLE1 AIX and have set the authentication_ttl
> value to 300. I also use the NCSA authentication method. I would have
> expected to get asked for my id and password again after 5 minutes of use.
> I didn't get asked. Can someone tell me if I should have been asked or is
> there a way to get squid to reauthenticate a user after a set period of
> use or inactivity?

The username and password are remembered by the Web browser client.
Squid caches the lookup for authentication_ttl seconds, so that it
doesn't have to do the lookup for each access (lookups can be expensive
and errorprone, e.g. when authenticating against an NT server). The
limit on the cached value is to make sure that if the administrator
changes the password for the user, his/her old password won't keep on
working indefinitely. The caching helps keeping the CPU load down and
improve response.

I would not recommend to do the lookup every 300 seconds, unless you
need to enforce a very strict policy. Once every hour or once per day is
sufficient for most security policies.

The browser will only pop up a dialog if the credentials it sent are not
accepted, or the first time after starting up the browser (and I think
IE might even store the password in the users .PWL file to survive a
reboot).

Cheers,

                                        -- Bert

-- 
Bert Driehuis, MIS -- bert_driehuis@nl.compuware.com -- +31-20-3116119
Hi! I'm a signature virus! Copy me to your .signature and help me
spread!
Received on Wed Mar 01 2000 - 06:41:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:52 MST