RE: logoff authentication

From: Armistead, Jason <ARMISTEJ@dont-contact.us>
Date: Wed, 10 Dec 1997 21:59:00 -0500

> From:
> frank@ctcqnx4.ctc.cummins.com[SMTP:frank@ctcqnx4.ctc.cummins.com]
> Sent: Wednesday, 10 December 1997 15:04
> Subject: logoff authentication
>
> I am using proxy authentication. How can I provide the users
> with a "logoff" option (a link on the proxy server's web server?)
> so that they don't have to quit the web browser?
> In a shared environment like ours, it is possible that several
> users are sharing the same machine/browser. I want users to
> use their own proxy account.
>
Frank

You need to provide another "Proxy-Authenticate" failure header, like
that which is generated by Squid (below)

HTTP/1.0 407 Cache Access Denied
Proxy-Authenticate: Basic realm="OEC-A's Squid Internet Proxy Dec 11"

We've hacked ours so that it provides a different "realm" each day, and
after 5:30pm too, so that after-hours users must re-authenticate when
the boss has gone home. This also stops MSIE "Save this password" from
working too.

You could do a similar thing, and maybe, by using an Apache or similar
web server on the proxy, call as a CGI script a modified version of the
Squid "client" program to generate some special header which instructs
Squid to cause requests from the particular client IP address to then
require a new realm for it (thus forcing a new username password to be
needed).

This should be something on the "nice to have" part of Squid.

The keeping track of, and aging of client IP addresses, and then
responding to an extra header field probably requires the most work.
Changing the realm is a very easy hack.

Cheers

Jason
Received on Wed Dec 10 1997 - 16:11:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:54 MST