Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 18 Feb 2014 23:53:52 +1300

On 18/02/2014 5:43 a.m., Scott Mayo wrote:
> On Mon, Feb 17, 2014 at 10:39 AM, Wim Ramakers
> <wim.ramakers_at_lucine-os.be> wrote:
>> I forgot to paste the line in the first post, I’ve set authenticate_cache_garbage_interval 5 minutes.
>>
>> Even after an hour I stayed authenticated, so I’ve changed it also to a lower value.
>
>
> I am curious to this also then. I wonder if that is the browser. Is
> there a setting for how often a browser asks for authentication?
>
> My assumption would be that the browser asks Squid for authentication.
> Once it is authenticated with your LDAP, then it will not have to
> authenticate again until the browser asks again. I may be totally
> wrong though.
>

I think you are misunderstanding the authentication model in a big way.
The browser is only asking Squid for access to a resource (via its URL).

In a properly working authentication system the user will only be asked
for credentials 0 or 1 times *total*. This goes for all authentication
types.

http://wiki.squid-cache.org/Features/Authentication#How_does_Proxy_Authentication_work_in_Squid.3F

The behaviour you are seeing is because the credentials are still valid
in the authentication database.

NP: browsers do not provide any logout mechanism to users. The above
wiki page has an example of ACL configuration to force a change of
credentials.

Amos
Received on Tue Feb 18 2014 - 10:54:10 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 18 2014 - 12:00:06 MST