RE: [squid-users] force periodic authentication in squid 2.5

From: Sean Shannon <[email protected]>
Date: Wed, 16 Apr 2003 14:19:44 -0400

Thanks for your reply. However it seems to me that forcing
authentication should be possible. I'm still till a bit confused.
If you look at the access logs, after first authentication, squid
knows the user/IP and the time of each request they made.
Also, the HTTP response code appears to be 407 on the first request
and 200 for all subsequent requests.
I'm not sure but I think browsers will ALWAYS display a password
dialog box when they receive a "401" or "407" but after the first
authentication, they cache the ID/password and send it along with
each request so the server doesn't challenge -thus the "200" responses.
I'm wondering, can't squid be configured(hacked) to return a
"401" or "407" response code periodically to the client no matter
what the client browser sends in its request?
I know squid authenticates every request, but does it do so by
sending the browser a "407" response code EVERY TIME, and the
browser handles it behind the scenes? If so, why don't the "407"
response codes appear in the access.log?

Thanks
Sean

> Hi,
> This seems like a very basic configuration issue, but I have been unable
to
> find an answer
> within the FAQ or numerous google searches.

This is because there is no good answer to this seemingly basic
question, and as described below the problem is not actually a Squid
problem but a more generic one relating to the HTTP protocol.

> I would like to configure squid to re-authenticate (deny a request to
force
> the browser to ask for ID and password), if 15 minutes have passed since
their
> last request. (IOW: someone logged in, used the Internet, and walked
> away without shutting down the browser)

Then you need to configure your browser to have this timeout. There is
nothing Squid can do about this.

Fact: Squid asks for authentication on each and every request. There is
no such thing as "login" or "logout" in HTTP, and authentication happens
per request.

The only reason why you do not see the login box all the time is because
your browser caches the login+password in memory, for as long as the
browser sees fit. The HTTP standard recommends such caching for very
obvious reasons (would not be possible to browse otherwise), but do not
put a limit on how long this should be cached and this detail is left up
to the implementation of the browser.

> I've looked at the various time-to-live settings in squid.conf but I think
> things have changed between versions.

The time-to-live settings does not apply to the question. It only
applies to how long Squid internally caches that the login+password is
indeed valid without having to verify this with the authentication
helper on each and every request.

Regards
Henrik

--
Free Squid-users support provided by Henrik Nordstr�m <hno@squid-cache.org>
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [email protected]
Received on Wed Apr 16 2003 - 12:20:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:00 MST