Re: [squid-users] Replay Auth

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 Nov 2013 09:42:37 +1300

On 2013-11-21 03:23, FredB wrote:
> Hello,
>
> I'm trying to use squid with two identifications mode, first digest
> and second basic, all works without problem except one point
>
> auth_param basic credentialsttl 1 hours
>
> The proxy never claim the username and pass after 1 hour, so I found
> no way for forcing the replay with digest
> squid stop and start are also without effect (I guess that the browser
> replay automatically is credential).
> I should wait that the user close his browser ...

What do you mean by "claim" ?

The browser is expected to deliver credentials on every request and the
proxy validate them. The credentialsttl is only about how often Squid
has to query the backend to validate them. When the TTL expire the
authenticator backend is checked, exactly the same as on a new login. If
it says they are still OK then a new credentialsttl period is started.
   When auth works properly the browser is only ever challenged at the
start of the users browsing session and not bothered again.

To force a change in credentials midway through a series of transactions
you need to cause the proxy to emit another auth challenge. Which can be
done by denying one of the requests using an access control line ending
with either an auth re-validation to the backend ("proxy_auth
REQUIRED"), a check against explicit username (proxy_auth <name>) or
with an external ACL that depends on %LOGIN.

http://wiki.squid-cache.org/action/show/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

Amos
Received on Wed Nov 20 2013 - 20:42:41 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 21 2013 - 12:00:06 MST