Does auth_param basic credentials_ttl have to be set in conjunction with
authenticate_cache_garbage_interval?
The help files don't make it clear and they seem to both do the same thing.
?confused?
--------------------------------------------------
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
Sent: Sunday, August 16, 2009 1:24 AM
To: "J Webster" <webster_jack@xxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Subject: Re: When user removed from password file ncsa_auth,
they are not reauthenticated
On Sat, 15 Aug 2009 16:18:32 +0100, "J Webster" <webster_jack@xxxxxxxxxxx>
wrote:
When users are removed from an ncsa_auth style password file, squid does
not
seem to reauthenticate them.
Even on a subsequent browser restart, they are re-authenticated but
worse...it allows them into the proxy even though they are not now in the
password file.
Testing with a user not in the password file denies them properly.
Is the old user cached somewhere?
Yes in these places:
* in the authenticator sub-system (maybe)
* in Squid
* in the Browser
Each has a timeout and all timeouts need to clear from the bottom up.
The auth sub-systems I've seen caching have timeout in the order of a few
seconds to halt bursts, or in some daemons a restart/reconfigure is needed
when the auth system removal process is not used properly (ie editing
users.conf insteaad of using passwd utility).
Squid defaults to 1 hour. This is probably what you have seen. Check the
squid.conf documentation for whatever unnamed version of Squid you are
using on how to change that.
http://www.squid-cache.org/Doc/config/
Browser caches forever, until closed and restarted, or until Squid uses a
"deny" access control to tells it its wrong.
Amos
