Re: [squid-users] Re: Squid authentication ttl

Hi Henrik,

Please verify...

> > authenticate_ttl 0 seconds
> > - Squid will send 'proxy authentication required' reply to browser for
> > every new request.
>
> Not relevant. authenticate_ttl has nothing to do with the browser
> communication, only the communication to the auth helper used by Squid.
>

Got it. authenticate_ttl is referring to, for authentication, whether Squid
will call the auth helper or check the cached password.

authenticate_ttl 0 seconds
- Squid will call the auth helper for every authentication
authenticate_ttl 1 hour
- Squid will cache the username & password for 1 hour.
- When browser send username & password on every request, instead of calling
the auth helper, Squid will just check with the cache.
- In the event that the password is changed within 1 hour after the last
request, and user will not be able to authenticate using the new password.

> > authenticate_ip_ttl 60 seconds
> > authenticate_ip_ttl_strict on
> > - If the user is surfing (authentication is on going &
> > authentication_ip_ttl never expires), no other user can authenticate
using
> > the same username. - In the event that the user redial, Squid will only
> > allow authentication using the same username 60 seconds after the last
> > browser request.
>
> Correct.

In the event there is no browser request from userA for more than 60
seconds, userB will be able to use the same username & password to
authenticate.
If userB continue surfing, userA will not be able to authenticate/surf at
all.

> And the difference when "authenticate_ip_ttl_strict off" is that everytime
> Squid detects a change in IP address within the configured TTL it will
deny
> the request even if the supplied user credentials (login+password) is
> correct, indicating to the browser that the login failed or is not
authorized
> to request the requested URL. This to force the browser to ask the user to
> login again.

In which case, userA and userB will try to get authenticated, and their
request will be deny...
Until one party give in, both userA and userB will not be able to surf at
all

> However some idiodic browsers don't trust the proxy when the proxy says
the
> login is incorrect or nor authorized to request what is being requested in
> the middle of a session and quietly retries the request with the cached
> credentials, thereby defeating this measure. I can only assume this is
> because the same vendor do not trust their own proxy and/or web server to
be
> able to deal properly with logins, occationally giving false failures..

May i know which browser behaving like this?
If userA uses this kind of browser, he will not be prompted, whereas userB
will get prompted constantly and eventually give up.

Rgds,
Wei Keong
Received on Tue Jun 04 2002 - 09:14:04 MDT