[squid-users] Re: Squid authentication ttl

Hi Henrik,

Still no clear on how to make use of the authenticate_ttl conf...
Basically, we are trying to prevent sharing of account, but at the same
time, not preventing our users from authenticating in the event that they IP
changes (redial)... please see my understanding is correct...

> > 1. authenticate_ttl
> > - when authenicate_ttl has expired and Squid request for password again,
> > seems that the browser will send the cached password instead of
prompting
> > the user. Is this true?
>
> The browser sends the password on each and every request. The browser
caches
> the password in memory to avoid having to ask the user all the time.
>
> The difference you noticed between the different browsers when you open
new
> windows etc is because the different browsers manage this cached password
> differently.
>
> The squid.conf ttl only applies to how long Squid will cache that the same
> password is valid, avoiding needing to ask the helper all the time.
>

authenticate_ttl 0 seconds
- Squid will send 'proxy authentication required' reply to browser for every
new request.
- However, as browser stores the userid & passwd in memory, the user may or
may not be prompted when he launches another instance or window (Ctrl-N) of
the browser.
- For a fresh new instance of browser (after closing all current browsers),
user will definitely be prompted.

authenticate_ttl 1 hour
- Squid will only send 'proxy authentication required' reply to the browser
1 hour after the first authentication.
- During this hour, when the user launches another instance or window of the
browser, the user will not be prompted.
- During this hour, when the user launches a fresh new instance of the
browser, user will not be prompted.
** However, i always get prompted everytime i launch a fresh new instance or
launch another instance, is this a bug?

> > 2. authenticate_ip_ttl & authenticate_ip_ttl_strict on
> > - when authenticate_ip_ttl has expired, Squid will not bound
authentication
> > with specific IP (deny any request from any IP). Will Squid prompt for
the
> > current user for authentication?
>
> Squid has no control over how long the browser will cache the user
> credentials. authenticate_ip_ttl only controls what Squid will do if it
sees
> valid logins for the same user from more than one IP address.

authenticate_ip_ttl 0 seconds
authenticate_ip_ttl_strict on
- Squid will not bind any IP to the valid user. more than one users can
authenticate using the same username.

authenticate_ip_ttl 60 seconds
authenticate_ip_ttl_strict on
- Within the 60 seconds after the browser last request, Squid will prevent
another user from authenticate using the same username.
- If the user is surfing (authentication is on going & authentication_ip_ttl
never expires), no other user can authenticate using the same username.
- In the event that the user redial, Squid will only allow authentication
using the same username 60 seconds after the last browser request.

Rgds,
Wei Keong
Received on Tue Jun 04 2002 - 05:16:34 MDT