On Sat, 15 Aug 2009 16:18:32 +0100, "J Webster" <webster_jack_at_hotmail.com>
wrote:
> When users are removed from an ncsa_auth style password file, squid does
> not
> seem to reauthenticate them.
> Even on a subsequent browser restart, they are re-authenticated but
> worse...it allows them into the proxy even though they are not now in the
> password file.
> Testing with a user not in the password file denies them properly.
> Is the old user cached somewhere?
Yes in these places:
* in the authenticator sub-system (maybe)
* in Squid
* in the Browser
Each has a timeout and all timeouts need to clear from the bottom up.
The auth sub-systems I've seen caching have timeout in the order of a few
seconds to halt bursts, or in some daemons a restart/reconfigure is needed
when the auth system removal process is not used properly (ie editing
users.conf insteaad of using passwd utility).
Squid defaults to 1 hour. This is probably what you have seen. Check the
squid.conf documentation for whatever unnamed version of Squid you are
using on how to change that.
http://www.squid-cache.org/Doc/config/
Browser caches forever, until closed and restarted, or until Squid uses a
"deny" access control to tells it its wrong.
Amos
Received on Sun Aug 16 2009 - 00:24:37 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 16 2009 - 12:00:06 MDT