Henk-Jan Kloosterman wrote:
> >I have, and there sure is a small window when the ttl expires which
> >allows for multiple lookups and possibly even a minor proxy_auth cache
> >inconsistency (minor == might repair itself after a while and should
> >have no bad effects apart from a few extra bytes of memory used).
>
> How would it repair itself? Do I have to do something?
Automatically the next time the problem occurs for that user... or when
squid is restarted. Also note that there is no noticeable negative
impact from the proxy_auth cache inconsistency so there is no reason do
anything. (but there is reason to try to correct the code to prevent it
from occuring in the first place)
> So it looks like to prblem ony occurs to my "heavy" internet users. (And
> that's right!)
> What would be the danger to set the authenticate_ttl to, let say, 8 hours?
From Squid's point of view no real danger. The difference is that the
window where someone nasty may replay old tokens sniffed from the
network or end-users computer is now 8 hours instead of 1 hour, and that
your users won't be asked to calculate a new token until they have used
the same browser window for more than 8 hours.
> >a) The browser is in the middle of fetching a page with X objects left
> >to retreive
> >b) The TTL expires, causing Squid to requery the authentication helper
> >which will tell that the password is invalid (still the old password).
> >Squid will then send "407 Proxy authentication required" to all those
> >requests.
> Looks like this!
Good.
> >c) As the browser has multiple concurrent 407 replies from the proxy, it
> >might well pop up several login dialogs to the user. But this is
> >user-agent implementation details..
>
> ?
The user might be requested to log in multiple times when the auth TTL
has expired. If and how many times is a matter of how the browser is
implemented, timing of concurrent requests, layout of the page (lots of
frames makes it likelier), and the entry of the new password.
-- Henrik Nordstrom -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Dec 22 2000 - 17:29:03 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:06 MST