help to disconnect users after determinated time. TTL

Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

help to disconnect users after determinated time. TTL

Juan Manuel Perrote-2
Hello, we have a squid reverse proxy, and use the param "auth_param
basic credentialsttl 10 minutes" to disconnect users that are inactive
for a time, but this NOT work, because later a users validated on a
reverse proxy can continue navigating on a reverse proxy even of later
10 minutes of inactivity.

And the users can continue navigating day to day and not need to
revalidated if the browser is not closed.

Watching the Cache Manager menu --> Active Cached Usernames --> Check
TTL, the check TTL is decrecing but when arrive to 0 is continue
decrecing with - minus values. We observe that when user refresh the
browser the Check TTL go to the value of credentialsttl setting (in
seconds) and start to decrecing.


regards.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help to disconnect users after determinated time. TTL

FUSTE Emmanuel
Le 13/08/2019 à 16:44, jmperrote a écrit :
> Hello, we have a squid reverse proxy, and use the param "auth_param
> basic credentialsttl 10 minutes" to disconnect users that are inactive
> for a time, but this NOT work, because later a users validated on a
> reverse proxy can continue navigating on a reverse proxy even of later
> 10 minutes of inactivity.
>
Hello,
It is not how things works.
You could not achieve what you want with basic auth.
The TTL is the TTL of the cache between the source of authentication
(file/ldap/sql etc ...) and Squid.
The client authenticate itself on your back at each request because it
cache auth material. There is no notion of "disconnection" from the
server side. It could only be a client side policy if implemented in the
browser.

Emmanuel.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help to disconnect users after determinated time. TTL

Juan Manuel Perrote-2

Hello Emmanuel, we finish implementing a solution on PHP script, getting the TTL time < 0 on the cachemgr, and it work.

The problem is that the param --> auth_param basic credentialsttl 3 minutes, give this time (180 seconds), but if the user still navigating on the site, this value

"Check TTL" is not renewing when the user is navigating, so if the user not aplly any click on the page just when the counter "Check TTL" is 0, the user counter go to < 0.


It is posible introduce any param that tell to squid to renew the counter when a user is betwen the credentialsttl time and still navigating ?

regards.
 



El 13/8/19 a las 12:33, FUSTE Emmanuel escribió:
Hello,

Le 13/08/2019 à 17:06, jmperrote a écrit :
Hello Emmanuel regards for your answer.

We need a solution that if the user do not nothing for about a period 
of time, for security reason, the reverse proxy request again the 
authentication, how can resolv that ?
You need to generate a failed auth to force client cache expiration/auth 
popup.
So you need to manage your own intermediate cache/TTL in your PHP script.

Put squid credentialttl at 5 minute.
Squid will call your authenticator two times in ten minutes on an active 
"session" but zero time on a stale one. Issue an auth fail the next time 
even if the auth is ok in this case.
Disable negative caching on squid to get it work.

But  it is not very robust :
At startup you will need two auth/popup to successfully connect
Many pages do requests on your back, reseting the TTL
Etc ....

As http is stateless, it is more difficult as it sound.
Perhaps something is doable with  kerberos/ticket authentication scheme, 
but I did not look at.

Emmanuel.
We use aut_param basic with php script (ldap repository) for 
authentication.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help to disconnect users after determinated time. TTL

Amos Jeffries
Administrator
On 16/08/19 3:30 am, jmperrote wrote:

> Hello Emmanuel, we finish implementing a solution on PHP script, getting
> the TTL time < 0 on the cachemgr, and it work.
>
> The problem is that the param --> auth_param basic credentialsttl 3
> minutes, give this time (180 seconds), but if the user still navigating
> on the site, this value
>
> "Check TTL" is not renewing when the user is navigating, so if the user not aplly any click on the page just when the counter "Check TTL" is 0, the user counter go to < 0.
>
>
> It is posible introduce any param that tell to squid to renew the counter when a user is betwen the credentialsttl time and still navigating ?

credentiaslttl does not mean what you seem to think it does.

It is just an optimization to reduce the amount of lookups to the
helper. How often they are *checked*.

In your other thread you showed this report:

>
> Type            State     Check TTL Cache TTL Username
> --------------- --------- --------- ---------
------------------------------
> AUTH_BASIC      Ok        58        3598      prueba


Think of credentialsTTL ("Check TTL") hitting 0 as the start of that
"grace period". The cache garbage collection (Cache TTL) defines the end
- when the credentials are completely forgotten by Squid.

As you can see there is already a "grace period" of 3540 seconds on
these credentials.


As Emmanuel said you can fake a sort-of logout by having a custom helper
pretend the credentials have expired suddenly. But that is something
your helper does, not this TTL.

Keep in mind that while Squid is awaiting your helper response all new
HTTP requests using those credentials will be queued up waiting for its
response. When the helper responds its answer will be applied to all
those queued and all future requests until the next credentialsttl
period ends.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users