* squid-2.3.STABLE1.strict_authenticate_ip_ttl.patch *

Sat Feb 19 10:49:41 CET 2000
Modified Files in squid/src
	cf.data.pre acl.c structs.h 

Changed ip_authenticate_ttl to have an strict option, enforcing that the
user comes from one IP address only.

-----------------------------------------------------------------

Index: squid/src/cf.data.pre
diff -u squid/src/cf.data.pre:1.1.1.42.6.9 squid/src/cf.data.pre:1.1.1.42.6.10
--- squid/src/cf.data.pre:1.1.1.42.6.9	Sun Jan 23 00:59:04 2000
+++ squid/src/cf.data.pre	Sat Feb 19 10:49:39 2000
@@ -995,20 +995,19 @@
 DOC_END
 
 NAME: authenticate_ttl
-TYPE: int
-DEFAULT: 3600
+TYPE: time_t
+DEFAULT: 1 hour
 LOC: Config.authenticateTTL
 DOC_START
-	The time a checked username/password combination remains cached
-	(default 3600). If a wrong password is given for a cached user,
-	the user gets removed from the username/password cache forcing
-	a revalidation.
+	The time a checked username/password combination remains cached.
+	If a wrong password is given for a cached user, the user gets
+	removed from the username/password cache forcing a revalidation.
 DOC_END
 
 NAME: authenticate_ip_ttl
-TYPE: int
+TYPE: time_t
 LOC: Config.authenticateIpTTL
-DEFAULT: 0
+DEFAULT: 0 seconds
 DOC_START
 	With this option you control how long a proxy authentication
 	will be bound to a specific IP address. If a request using
@@ -1019,10 +1018,14 @@
 	yet allow a dialup user to reconnect on a different dialup
 	port.
 
+	If the TTL is set to a negative value then the check is
+	strict, completely denying access from other IP addresses
+	until the TTL has expired.
+
 	The default is 0 to disable the check. Recommended value
-	if you have dialup users are no more than 60 (seconds). If
+	if you have dialup users are no more than 60 seconds. If
 	all your users are stationary then higher values may be
-	used.
+	used, or even strict checking.
 DOC_END
 
 COMMENT_START
Index: squid/src/acl.c
diff -u squid/src/acl.c:1.1.1.40.6.2 squid/src/acl.c:1.1.1.40.6.3
--- squid/src/acl.c:1.1.1.40.6.2	Sun Jan 16 03:40:46 2000
+++ squid/src/acl.c	Sat Feb 19 10:49:40 2000
@@ -1112,7 +1112,7 @@
 	    /* store validated user in hash, after filling in expiretime */
 	    xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
 	    auth_user->expiretime = current_time.tv_sec + Config.authenticateTTL;
-	    auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+	    auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
 	    auth_user->ipaddr = checklist->src_addr;
 	    hash_join(proxy_auth_cache, (hash_link *) auth_user);
 	    /* Continue checking below, as normal */
@@ -1133,7 +1133,7 @@
 	    debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n",
 		user);
 	    /* Update IP ttl */
-	    auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+	    auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
 	    auth_user->ipaddr = checklist->src_addr;
 	    /* copy username to request for logging on client-side */
 	    xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
@@ -1149,11 +1149,16 @@
 	} else {
 	    /* user has switched to another IP addr */
 	    debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
-	    /* remove this user from the hash, making him unknown */
-	    hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
-	    aclFreeProxyAuthUser(auth_user);
-	    /* require the user to reauthenticate */
-	    return -2;
+	    if (!Config.authenticateIpTTL > 0) {
+		/* remove this user from the hash, making him unknown */
+		hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
+		aclFreeProxyAuthUser(auth_user);
+		/* require the user to reauthenticate */
+		return -2;
+	    } else {
+		/* Strict TTL is set. Deny the "other" user access */
+		return 0;
+	    }
 	}
     } else {
 	/* password mismatch/timeout */
Index: squid/src/structs.h
diff -u squid/src/structs.h:1.1.1.45.4.12 squid/src/structs.h:1.1.1.45.4.13
--- squid/src/structs.h:1.1.1.45.4.12	Wed Feb  2 23:32:27 2000
+++ squid/src/structs.h	Sat Feb 19 10:49:40 2000
@@ -320,8 +320,8 @@
 #endif
     int redirectChildren;
     int authenticateChildren;
-    int authenticateTTL;
-    int authenticateIpTTL;
+    time_t authenticateTTL;
+    time_t authenticateIpTTL;
     struct {
 	int single_host;
 	char *host;