Re: [squid-users] Re: Squid authentication ttl

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 4 Jun 2002 17:38:10 +0200

Wei Keong wrote:

> - In the event that the password is changed within 1 hour after the last
> request, and user will not be able to authenticate using the new password.

He will. Squid will check with the helper if the received password does not
match the cached copy.

What is true is that if the password is changed then the user may be able to
continue using the old password up to at most one hour.

[authenticate_ip_ttl_is_strict on]

> In the event there is no browser request from userA for more than 60
> seconds, userB will be able to use the same username & password to
> authenticate.
> If userB continue surfing, userA will not be able to authenticate/surf at
> all.

Correct.

[authenticate_ip_ttl_is_strict off]

> In which case, userA and userB will try to get authenticated, and their
> request will be deny...
> Until one party give in, both userA and userB will not be able to surf at
> all

Not entirely correct.

The intention is that both users should be bothered with a login box most of
the time (each time requests from more than one IP within the TTL has been
detected). However, some browsers intentionally defeat this by retrying at
least one more time if a previously successful login suddently fails..

> May i know which browser behaving like this?

Have mostly seen this problem with the non-strict mode reported by
administrators having users using MS IE.

> If userA uses this kind of browser, he will not be prompted, whereas userB
> will get prompted constantly and eventually give up.

This is the result with the strict mode turned on.

The intention when strict mode is turned off is that

user A browses
user B logs in
if user A tries to continue to browse he will be requested to log in again if
requests have been seen from user B
same thing for user B.

Meaning that if there is two concurrent users using the same login then both
should need to log mostly all the time, to make it really annoying to share
the password to another user.

Regards
Henrik
Received on Tue Jun 04 2002 - 09:38:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:26 MST