[squid-users] Removing cache credentials
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 15 06:47:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/11/2014 7:33 p.m., Victor Sudakov wrote:
> Amos Jeffries wrote:
>>>
>>> I have set-up squid proxy server with ldap authentication , the
>>> infrastructure is setup in such a way that users have to
>>> access the internet through the proxy .In Internet explorer
>>> there's an option to save the credntials and once its saved
>>> during the prompt squid wont ask for credentials the user will
>>> have direct access to internet .
>
>> Wrong and wrong. HTTP (thus Squid) is stateless. Each and every
>> single request requires the credentials necessary to pass that
>> request through the proxy.
>
> Once you mentioned it, I have a question.
>
> If we speak about Kerberos authentication. On the very first
> request, the browser receives a "407 Proxy Authentication Required"
> reply and learns that it is expected to provide credentials. For a
> certain amount of time, the browser knows that it should send the
> credentials with every request without waiting for an 407 reply.
>
> How long is this amount of time? Is it like forever? Is there ever
> a limit after which the browser will try again to send a request
> without credentials? Maybe after a browser restart or what?
>
Negotiate/Kerberos (and NTLM) do not authenticate the request. They
abuse HTTP to authenticate the TCP connection underneath HTTP. So the
credentials must be re-used for the entire lifetime of that TCP
connection. Changing credentials means tearing down that whole TCP
connection.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUZvcOAAoJELJo5wb/XPRjuPwIANbYcqUEBtwt5MmMr0Rc5oM9
o9DW6e+Blm5hMClwa8i31zBg6pcww0/ixEb4DwwBgBr+NcCPr4jP/dHMZQ0vh+rx
IOH2n7LGZwQ6phaltIavYFQouqJjUL0gtFRpoYjClobm8coi/jxv/3qZMwfrGB53
/A9l8cmBs7v7C5vzEKLLlpTZQ85wYtc+qC8i1W1FVK8jcpypd5ql8xSbodMumtUH
vItOJdKRZFseOZc6rk9EJG24VZluRD7rmab4XQWQdbL/eVabXDDIqQq2agaf7DTZ
8F9bSEuqjAoSnsf/gl5RGdWNUN1h5tTWO/DYvyn1MI5vYEhExGeW1YrsF2sWPpA=
=DvPW
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list