Hello again Amos,
Today I made a (ugly) patch for squid 3.2.13, who changes the credentialsttl behaviour
With auth_param basic credentialsttl 1 minute the user must replay his ident (of course if the negotiation is the second, BASIC).
Better - for me - ! The digest (first identification) is proposed as new choice.
Of course if I disable the digest - so only with basic - the pop-pup will comes again every minutes.
I'm not a C++ expert, and I think there are some bad things, but it works pretty good
I thing a better way should be : add an option, something like auth_param basic credentialsttldisconnect
The "trick" is:
src/auth/UserRequest.h: CRED_BANNED = -3
A new case in src/auth/UserRequest.cc
case Auth::CRED_BANNED:
*auth_user_request = NULL
return AUTH_ACL_CHALLENGE;
For basic
src/auth/basic/UserRequest.cc
case Auth::Ok:
if (user()->expiretime + static_cast<Auth::Basic::Config*>(Auth::Config::Find("basic"))->credentialsTTL <= squid_curtime){
// Avoid infinit loop //
user()->expiretime = current_time.tv_sec;
return Auth::CRED_BANNED;
}
return Auth::CRED_VALID;
I hope I forgot nothing
I have just one problem for the moment, sometimes the ident banner appear twice I guess there is a problem about user()->expiretime = current_time.tv_sec place when the user is beyond two minutes without browsing the timer is expired again, I will investigate ...
Thank
Fred
