On 4/09/19 1:13 am, jmperrote wrote: > Hello Amos, yes but how can I identified that is on the first request ?? > It will be first? but what does first actually mean? first this year? first today? first this second? HTTP is stateless. There is no concept of "second request" etc. outside of feature which are *not* related to users or useful to you here. _Every_ request that your config requires credentials to accept, needs credentials provided or will get a 401/407 response. That is just how auth works in HTTP. There are likely many of those which are handled by the Browser without any popup at all. To Squid there is no difference between request 1 without credentials and request 2 without credentials. > Else squid request to autentificate and later when invoque the helper > again request to autentificate. Every time Squid is handed never-before-seen credentials the helper will be asked to check them. Every time Squid is handed credentials that are apparently expired, the helper will be asked to check them. > > I handle recover the user from squid cache (cachmanager) on the helper, > for asking if the user previous exist, but squid refresh cache and users > disapearing time to time. Yes. Computers do not have infinite memory. Things that are clearly obsolete are thrown away after a reasonable time. To make credentials stick around longer you can do two things; 1) increase their TTL. The longer they are considered valid the longer they are retained as possibly useful. Pros: they stick around. Less CPU load on the auth system. Cons: they stick around. Increased memory usage. Reduced ability to change passwords. Reduced ability to kick malicious users off the proxy by disabling hacked credentials. 2) increase the garbage collection interval Squid uses. This keeps obsolete logins around longer. Pros: more known logins. Cons: more memory used storing logins. Both have the possibility/risk that users "login session" goes longer than you might be expecting. For example; if set to 10hrs (one working day). A user may "logout" late one night, then re-login early the next day (9hrs of sleep later) and be seen by Squid as having continued the same login started yesterday. Even 2hrs is too long to cover lunch breaks etc. Up to you of course, just consider what type of activities may be problematic for your system for any given time range. > > The exact question is: how to know is the user is previous logued, so > the helper just validate user/password Yes. > and later ALLOW to continue. > No. Authentication vs Authorization. There is a thin difference, but it is very important to understanding these things going on. The auth helper only does Authentication - checking that credentials are *correct*. Squid ACLs do the Authorization - allow/deny actions. Which may (or not) be based on whether credentials are correct / authenticated. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
