> > What do you mean by "claim" ? I would mean no banner > > The browser is expected to deliver credentials on every request and > the > proxy validate them. The credentialsttl is only about how often Squid > has to query the backend to validate them. When the TTL expire the > authenticator backend is checked, exactly the same as on a new login. > If > it says they are still OK then a new credentialsttl period is > started. > When auth works properly the browser is only ever challenged at > the > start of the users browsing session and not bothered again. > Yes, it's the point, with digest the user can revalidate with some options but not with basic > To force a change in credentials midway through a series of > transactions > you need to cause the proxy to emit another auth challenge. Which can > be > done by denying one of the requests using an access control line > ending > with either an auth re-validation to the backend ("proxy_auth > REQUIRED"), a check against explicit username (proxy_auth <name>) or > with an external ACL that depends on %LOGIN. > > http://wiki.squid-cache.org/action/show/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F Thank very much, I didn't find this, unfortunately it doesn't work right with this at the end acl my_auth proxy_auth REQUIRED acl google_users proxy_auth user1 user2 user3 fred acl google dstdomain .google.com http_access deny google !google_users http_access allow my_auth http_access deny all When I'm surfing (digest or basic) my auth is never re-validate To be sure I removed "fred" form acl google_users and I'm denied and my browser show the banner >From the wiki "In this case if the user requests www.google.com then the first http_access line matches and triggers re-authentication unless the user is one of the listed users." It's not completely right, I think the doc give the impression that it sequential (user1 banner, user2 banner, etc), but with acl google_users proxy_auth user1 user2 user3 fred no banner With acl google_users proxy_auth user1 user2 user3, banner, and I need to change my user for userx It cannot be used really used because you must change your user for another ... But maybe I misunderstanding something So thank very much, I know now that squid can force the revalidation (perhaps It only lacks one option like authenticate_disconnet) the question is how exactly ? Fred