[squid-users] Re: Squid authentication ttl

Wei Keong wrote:

> authenticate_ttl 0 seconds
> - Squid will send 'proxy authentication required' reply to browser for
> every new request.

Not relevant. authenticate_ttl has nothing to do with the browser
communication, only the communication to the auth helper used by Squid.

> - However, as browser stores the userid & passwd in memory, the user may or
> may not be prompted when he launches another instance or window (Ctrl-N) of
> the browser.

Always Correct. Squid has no control over this. How long and when the users
credentials is cached in the browser is entirely up to the browser
implementation.

> - For a fresh new instance of browser (after closing all current browsers),
> user will definitely be prompted.

Outside of Squid's business. If the browser likes to cache the userid+password
more permanent that is up to the browser. In any event, Squid do not see any
difference. The HTTP standard discourages permanent caching of the
credentials, but it is not forbidden. There is a couple of single-sign-on
packages doing this kind of aggressive caching.

> authenticate_ttl 1 hour
> - Squid will only send 'proxy authentication required' reply to the browser
> 1 hour after the first authentication.

No, the situation is exacly as above. Authentication takes place on each and
every request sent to Squid.

> - During this hour, when the user launches another instance or window of
> the browser, the user will not be prompted.

Up to the browser, as above.

> - During this hour, when the user launches a fresh new instance of the
> browser, user will not be prompted.

In most browser models the user will be prompted. The Squid settings is not
relevant here.

> authenticate_ip_ttl 0 seconds
> authenticate_ip_ttl_strict on
> - Squid will not bind any IP to the valid user. more than one users can
> authenticate using the same username.

Correct.

> authenticate_ip_ttl 60 seconds
> authenticate_ip_ttl_strict on
> - Within the 60 seconds after the browser last request, Squid will prevent
> another user from authenticate using the same username.

Correct.

> - If the user is surfing (authentication is on going &
> authentication_ip_ttl never expires), no other user can authenticate using
> the same username. - In the event that the user redial, Squid will only
> allow authentication using the same username 60 seconds after the last
> browser request.

Correct.

And the difference when "authenticate_ip_ttl_strict off" is that everytime
Squid detects a change in IP address within the configured TTL it will deny
the request even if the supplied user credentials (login+password) is
correct, indicating to the browser that the login failed or is not authorized
to request the requested URL. This to force the browser to ask the user to
login again.

However some idiodic browsers don't trust the proxy when the proxy says the
login is incorrect or nor authorized to request what is being requested in
the middle of a session and quietly retries the request with the cached
credentials, thereby defeating this measure. I can only assume this is
because the same vendor do not trust their own proxy and/or web server to be
able to deal properly with logins, occationally giving false failures..

Regards
Henrik
Received on Tue Jun 04 2002 - 07:16:48 MDT