I created my own authentication module, and tried setting nonce_max_duration to "1 minutes" (I also tried "1 minute", and "2 minutes" to make sure there wasn't something funky with the word minutes). My authentication module logs every time it is called. But when I sit there and hit refresh on the browser every ~15 seconds, I don't get any re-authentication calls being made to the auth module (only the initial authentication). I've kept this test up for over 5 min with no re-authentication attempts to the auth module. Did I mis-understand something possibly? Or is nonce_max_duration not actually causing re-authentication to the auth_module (perhaps it just sticks within the cached authentication in squid?) So far the only two ways to lock out users that I understand are the nonce_max_duration (if I can make it work as I currently understand it should), and banned user list ACLs w/ "-k reload" calls. If anyone thinks I'm missing anything else let me know. Thanks, Dave Quote from a previous email: ======================== > nonce_max_duration determines how long the nonces may be used for. > It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low.
