/*
- * $Id: acl.cc,v 1.215 2000/05/02 20:22:54 hno Exp $
+ * $Id: acl.cc,v 1.216 2000/05/02 21:35:24 hno Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
return 0; /* NOTREACHED */
}
} else {
- /* user has switched to another IP addr */
- debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
- /* remove this user from the hash, making him unknown */
- hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
- aclFreeProxyAuthUser(auth_user);
- /* require the user to reauthenticate */
- return -2;
+ if (Config.onoff.authenticateIpTTLStrict) {
+ /* Access from some other IP address than the one owning
+ * this user ID. Deny access
+ */
+ debug(28, 1) ("aclMatchProxyAuth: user '%s' tries to use multple IP addresses!\n", user);
+ return 0;
+ } else {
+ /* user has switched to another IP addr */
+ debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
+ /* remove this user from the hash, making him unknown */
+ hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
+ aclFreeProxyAuthUser(auth_user);
+ /* require the user to reauthenticate */
+ return -2;
+ }
}
} else {
/* password mismatch/timeout */
#
-# $Id: cf.data.pre,v 1.176 2000/05/02 20:58:30 hno Exp $
+# $Id: cf.data.pre,v 1.177 2000/05/02 21:35:24 hno Exp $
#
#
# SQUID Internet Object Cache http://squid.nlanr.net/Squid/
DOC_END
NAME: authenticate_ttl
-TYPE: int
-DEFAULT: 3600
+TYPE: time_t
+DEFAULT: 1 hour
LOC: Config.authenticateTTL
DOC_START
- The time a checked username/password combination remains cached
- (default 3600). If a wrong password is given for a cached user,
- the user gets removed from the username/password cache forcing
- a revalidation.
+ The time a checked username/password combination remains cached.
+ If a wrong password is given for a cached user, the user gets
+ removed from the username/password cache forcing a revalidation.
DOC_END
NAME: authenticate_ip_ttl
-TYPE: int
+TYPE: time_t
LOC: Config.authenticateIpTTL
-DEFAULT: 0
+DEFAULT: 0 seconds
DOC_START
With this option you control how long a proxy authentication
will be bound to a specific IP address. If a request using
port.
The default is 0 to disable the check. Recommended value
- if you have dialup users are no more than 60 (seconds). If
- all your users are stationary then higher values may be
- used.
+ if you have dialup users are no more than 60 seconds to allow
+ the user to redial without hassle. If all your users are
+ stationary then higher values may be used.
+
+ See also authenticate_ip_ttl_is_strict
+DOC_END
+
+NAME: authenticate_ip_ttl_is_strict
+TYPE: onoff
+LOC: Config.onoff.authenticateIpTTLStrict
+DEFAULT: on
+DOC_START
+ This option makes authenticate_ip_ttl a bit stricted. With this
+ enabled authenticate_ip_ttl will deny all access from other IP
+ addresses until the TTL has expired, and the IP address "owning"
+ the userid will not be forced to reauthenticate.
DOC_END
COMMENT_START
/*
- * $Id: structs.h,v 1.327 2000/05/02 21:21:09 hno Exp $
+ * $Id: structs.h,v 1.328 2000/05/02 21:35:24 hno Exp $
*
*
* SQUID Internet Object Cache http://squid.nlanr.net/Squid/
#endif
int redirectChildren;
int authenticateChildren;
- int authenticateTTL;
- int authenticateIpTTL;
+ time_t authenticateTTL;
+ time_t authenticateIpTTL;
struct {
int single_host;
char *host;
int digest_generation;
#endif
int log_ip_on_direct;
+ int authenticateIpTTLStrict;
} onoff;
acl *aclList;
struct {
projects / thirdparty / squid.git / commitdiff
