-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/11/2014 7:33 p.m., Victor Sudakov wrote: > Amos Jeffries wrote: >>> >>> I have set-up squid proxy server with ldap authentication , the >>> infrastructure is setup in such a way that users have to >>> access the internet through the proxy .In Internet explorer >>> there's an option to save the credntials and once its saved >>> during the prompt squid wont ask for credentials the user will >>> have direct access to internet . > >> Wrong and wrong. HTTP (thus Squid) is stateless. Each and every >> single request requires the credentials necessary to pass that >> request through the proxy. > > Once you mentioned it, I have a question. > > If we speak about Kerberos authentication. On the very first > request, the browser receives a "407 Proxy Authentication Required" > reply and learns that it is expected to provide credentials. For a > certain amount of time, the browser knows that it should send the > credentials with every request without waiting for an 407 reply. > > How long is this amount of time? Is it like forever? Is there ever > a limit after which the browser will try again to send a request > without credentials? Maybe after a browser restart or what? > Negotiate/Kerberos (and NTLM) do not authenticate the request. They abuse HTTP to authenticate the TCP connection underneath HTTP. So the credentials must be re-used for the entire lifetime of that TCP connection. Changing credentials means tearing down that whole TCP connection. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUZvcOAAoJELJo5wb/XPRjuPwIANbYcqUEBtwt5MmMr0Rc5oM9 o9DW6e+Blm5hMClwa8i31zBg6pcww0/ixEb4DwwBgBr+NcCPr4jP/dHMZQ0vh+rx IOH2n7LGZwQ6phaltIavYFQouqJjUL0gtFRpoYjClobm8coi/jxv/3qZMwfrGB53 /A9l8cmBs7v7C5vzEKLLlpTZQ85wYtc+qC8i1W1FVK8jcpypd5ql8xSbodMumtUH vItOJdKRZFseOZc6rk9EJG24VZluRD7rmab4XQWQdbL/eVabXDDIqQq2agaf7DTZ 8F9bSEuqjAoSnsf/gl5RGdWNUN1h5tTWO/DYvyn1MI5vYEhExGeW1YrsF2sWPpA= =DvPW -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
