Re: [squid-users] force periodic authentication in squid 2.5

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 16 Apr 2003 22:16:14 +0200

On Wednesday 16 April 2003 20.19, Sean Shannon wrote:
> Thanks for your reply. However it seems to me that forcing
> authentication should be possible. I'm still till a bit confused.
> If you look at the access logs, after first authentication, squid
> knows the user/IP and the time of each request they made.

Yes, because the browser sent the login+password on each request.

> Also, the HTTP response code appears to be 407 on the first request
> and 200 for all subsequent requests.

On the first request the browser does not yet know which
login+password to use. On the second and all subsequent requests the
browser knows which login+password to use and automatically does so.

> I'm not sure but I think browsers will ALWAYS display a password
> dialog box when they receive a "401" or "407" but after the first
> authentication, they cache the ID/password and send it along with
> each request so the server doesn't challenge -thus the "200"
> responses. I'm wondering, can't squid be configured(hacked) to
> return a "401" or "407" response code periodically to the client no
> matter what the client browser sends in its request?

Yes, but you will quickly discover that most browsers (well.. those
made by Microsoft at least) will just retry the request one or two
times..

We have already tried this in the non-strict number of IP addresses
per active user checks in Squid, and it was then discovered that some
Microsoft browsers just swallowed the 407 responses and continued
using the same login+password without asking the user to
reauthenticate, effectively nullifying our attempts to force the
browser to ask the user to login again..

> I know squid authenticates every request, but does it do so by
> sending the browser a "407" response code EVERY TIME, and the
> browser handles it behind the scenes? If so, why don't the "407"
> response codes appear in the access.log?

The browse assumes the proxy will require authentication on all
requests, and automatically includes the login+password in each
request without first needing to be challenged with a 407 reply
except for the initial challenge.

Regards
Henrik
Received on Wed Apr 16 2003 - 14:15:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:01 MST