On Sat, 15 Aug 2009 16:18:32 +0100, "J Webster" <webster_jack@xxxxxxxxxxx> wrote: > When users are removed from an ncsa_auth style password file, squid does > not > seem to reauthenticate them. > Even on a subsequent browser restart, they are re-authenticated but > worse...it allows them into the proxy even though they are not now in the > password file. > Testing with a user not in the password file denies them properly. > Is the old user cached somewhere? Yes in these places: * in the authenticator sub-system (maybe) * in Squid * in the Browser Each has a timeout and all timeouts need to clear from the bottom up. The auth sub-systems I've seen caching have timeout in the order of a few seconds to halt bursts, or in some daemons a restart/reconfigure is needed when the auth system removal process is not used properly (ie editing users.conf insteaad of using passwd utility). Squid defaults to 1 hour. This is probably what you have seen. Check the squid.conf documentation for whatever unnamed version of Squid you are using on how to change that. http://www.squid-cache.org/Doc/config/ Browser caches forever, until closed and restarted, or until Squid uses a "deny" access control to tells it its wrong. Amos
