Re: [SQU] Authenticate problem:

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 23 Dec 2000 01:07:06 +0100

Robert Collins wrote:

> > Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
> > first request carrying the new passphrase would be sent to the
> > authenticator, but maybe all are until the authenticator returns. Need
> > to check the code on this.
>
> The Auth_rewrite branch should have this fixed as a 'freebie'. I'll check
> when I get fully back on deck. If not then then it will be trivial to fix
> in auth_rewrite.

Ok. I'll await your investigation, but in the current code (not
auth_rewrite) there surely is a window between the first query and the
result where additional requests will spawn additional validations, and
probably even cause duplicate entries in the cache.

> > > > authenticate_ip_ttl
> > >
> > > 3600
> >
> > This might also be one source if the same userid tried to access Squid
> > from two or more different IP's.
> >
>
> This is fixed in auth_rewrite. We compare the passwords. in memory without an external trip.

So how do you implement authenticate_ip_ttl's normal soft mode where the
user is meant to be required to reauthenticate each time he/she switches
IP within the TTL?

In the normal code this is done by forgetting the cached credentials
each time a switch is detected, AND to reject the request with
"authentication required". This way the user can switch IP with only a
minor annoyance, but if two IP's tries to use the same user then things
will get really annoying for the user.

Hmm.. could of course change it to simply change the IP instead of
dropping the cache entry.. probably a good idea.

In strict ip_ttl mode the requests from other IP's are always denied
until the TTL have expired.

/Henrik
Received on Fri Dec 22 2000 - 17:07:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:06 MST