On Mon, May 08, 2006 at 10:21:38AM -0400, Michael W. Lucas wrote: > On Mon, May 08, 2006 at 02:01:09PM +0200, Christoph Haas wrote: > > Not quite right. You can indeed enforce re-authentication. It's just > > lousily documented. See: > > > > http://workaround.org/moin/HowSquidAclsWork#head-d6e6569888d3fc8fd4e0dd2031e09744d2bd38e7 > > (Hmm, I should give it a shorter section name. :) ) > > Thanks for the pointer, that's quite clever. But is there a way to do > this every 15 minutes, instead of by site? I haven't heard of such a way yet. > > Another frequent cause of such re-authentications is an erroneous backend. > > The credentials are indeed cached in the browser from from time to time > > Squid checks the backend whether the credentials are still valid. If the > > backend denies that then Squid will ask the user again for the credentials. > > The time that Squid believes the credentials are still valid without > > checking the backend are set in the "auth_param basic credentialsttl" > > parameter. > > I'm actually trying to replace this system because of authentication > problems. I wonder if my predecessor introduced intermittent > authentication errors in an effort to create a 15-minute repeat. > (That would be fine, except that sometimes invalid usernames and > passwords are accepted...) Is that really useful? The TTL I mentioned checks the credentials against the backend anyway. So if you cancel the user account in the backend it will take no longer than the TTL until the users gets blocked. Frequent re-authentications just sound like user torturing. (I don't mean to claim that users don't deserve to be tortured though.) Kindly Christoph