This is not a bug, this is expected behavior. To give you a better idea of how the auth server works see below:
-UserA (10.1.1.10) makes a request to the Web Gateway (over WCCP)
-Web Gateway sees a request from 10.1.1.10, it then checks against its authentication server database to see if there is a valid (time-based)session for that IP.
If 10.1.1.10 has a valid session (session is defined by your TTL value)
Continue with username associated with session and allow request to continue on to other rules
Authenticate the user and set session time (this will store the username/IP/"expires-at time" into a database).
Speaking to your example, you may want to decrease the TTL value if the environment has shared workstations.
This is different from direct proxy environments which uses proxy authentication (performs authentication for every new connection).
There is also cookie authentication which would perform what it sounds like you want, the browser would have a cookie stored which would be limited to that user.
Hope this helps, just thought I'd get a quick answer out.
I wasnt clear on one thing; whether a user logs in or out of their PC does not control the username the Web Gateway sees them as. Logging in or out of a PC is not something the Web Gateway has knowledge of.
So what you are saying is that it looks for an IP address in the cache? Not a user name?
And my next question would be - how can we reset the TTL cache for specific IP addresses then so users can re-authenticate?
Correct, the Web Gateway stores the IP, and associates it with a username and "expiresat" time. This creates the session. It does not have the username at that point.
One your next question, you can always create rules with differing criteria. See screenshot below:
Let me know if this answers your question, or if you were asking for something else.
I am looking for a way to clear the TTL cache for certain users.
Where is this TTL cache stored? Is there a way to reset it?
Hi again Jonanthan,
No way currently to "destroy" the session for a particular user (though I have a FMR filed for to create an "event" to destroy one ).
That would be really nice feature if you could force a user/all to reauthenticate via the GUI.
Is there anyway we can suggest this feature as well?? This would be very helpful.