I created my own authentication module, and tried setting nonce_max_duration
to "1 minutes" (I also tried "1 minute", and "2 minutes" to make sure there
wasn't something funky with the word minutes). My authentication module logs
every time it is called.
But when I sit there and hit refresh on the browser every ~15 seconds, I
don't get any re-authentication calls being made to the auth module (only
the initial authentication). I've kept this test up for over 5 min with no
re-authentication attempts to the auth module.
Did I mis-understand something possibly? Or is nonce_max_duration not
actually causing re-authentication to the auth_module (perhaps it just
sticks within the cached authentication in squid?)
So far the only two ways to lock out users that I understand are the
nonce_max_duration (if I can make it work as I currently understand it
should), and banned user list ACLs w/ "-k reload" calls. If anyone thinks
I'm missing anything else let me know.
Thanks,
Dave
Quote from a previous email:
========================
> nonce_max_duration determines how long the nonces may be used for.
> It's closer to what you are wanting, but I'm not sure of there are any
nasty side effects of setting it too low.
Received on Tue Mar 23 2010 - 23:17:01 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT