>
> What do you mean by "claim" ?
I would mean no banner
>
> The browser is expected to deliver credentials on every request and
> the
> proxy validate them. The credentialsttl is only about how often Squid
> has to query the backend to validate them. When the TTL expire the
> authenticator backend is checked, exactly the same as on a new login.
> If
> it says they are still OK then a new credentialsttl period is
> started.
> When auth works properly the browser is only ever challenged at
> the
> start of the users browsing session and not bothered again.
>
Yes, it's the point, with digest the user can revalidate with some options but
not with basic
> To force a change in credentials midway through a series of
> transactions
> you need to cause the proxy to emit another auth challenge. Which can
> be
> done by denying one of the requests using an access control line
> ending
> with either an auth re-validation to the backend ("proxy_auth
> REQUIRED"), a check against explicit username (proxy_auth <name>) or
> with an external ACL that depends on %LOGIN.
>
> http://wiki.squid-cache.org/action/show/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F
Thank very much, I didn't find this, unfortunately it doesn't work right
with this at the end
acl my_auth proxy_auth REQUIRED
acl google_users proxy_auth user1 user2 user3 fred
acl google dstdomain .google.com
http_access deny google !google_users
http_access allow my_auth
http_access deny all
When I'm surfing (digest or basic) my auth is never re-validate
To be sure I removed "fred" form acl google_users and I'm denied and my browser
show the banner
>From the wiki "In this case if the user requests www.google.com then the first
>http_access line matches and triggers re-authentication unless the user is one
>of the listed users."
It's not completely right, I think the doc give the impression that it
sequential (user1 banner, user2 banner, etc), but with acl google_users
proxy_auth user1 user2 user3 fred no banner
With acl google_users proxy_auth user1 user2 user3, banner, and I need to
change my user for userx
It cannot be used really used because you must change your user for another ...
But maybe I misunderstanding something
So thank very much, I know now that squid can force the revalidation (perhaps
It only lacks one option like authenticate_disconnet) the question is how
exactly ?
Fred
