Re: [SQU] Authenticate problem:

From: Henrik Nordstrom <[email protected]>
Date: Fri, 22 Dec 2000 16:04:23 +0100

Henk-Jan Kloosterman wrote:

> > The browser always authenticates, but Squid tries to cache this to not
> > overload the backend database.
>
> Can I disable this cache? Cuase it realy "feels" that this is the problem.

Most likely not. All this cache does is to lower the amount of requests
to the backend authentication service. If you disable the cache then
Squid will have to validate the password on each and every request. And
since you use securid tokens this means that the user would have to
generate a new passphrases mostly the whole time..

> > Is the radius authentication sucessful, or is it repeated failures?
>
> No it is not succesfull: And there is the problem! The passwords change
> ervery minute (we use a "secureid" token to generatie the password)

Ok. So each user whould have to reauthenticate each authenticate_ttl
then, possibly causing trouble if it happens in the middle of a page, or
on a page partially cached in the client browser. If the users browser
have or tries to open multiple connections to the proxy when the old
passphrase expires then multiple requests for a new identification will
be sent (one for each concurrent request not carrying a valid
identification).

Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
first request carrying the new passphrase would be sent to the
authenticator, but maybe all are until the authenticator returns. Need
to check the code on this.

> > What is your settings of
> >
> > authenticate_ttl
>
> 3600

Fine.

> > authenticate_ip_ttl
>
> 3600

This might also be one source if the same userid tried to access Squid
from two or more different IP's.

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Dec 22 2000 - 08:28:46 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:05 MST