Amos, I implemented a custom ‚session’ helper that checks ip’s and expire date, and used the acl order you gave in the regular session helper example. It works! The reason why the default session helper does not work is that not only my browser is sending requests, but also apps like Facebook and Twitter… so they get the error but I do not in my browser. Thanks to all who posted ideas here that got me on the right track! There is however still one thing i need to fix, I need to pass the client ip as parameter in the deny_info url. (to update the session db) http://www.squid-cache.org/Versions/v3/3.4/cfgman/deny_info.html tells me to use %i, but that returns a 0 instead of client ip http://www.squid-cache.org/Versions/v3/3.1/cfgman/deny_info.html mentions no URL FORMAT TAGS How does it work in v3.1 to get the client ip?