WinGate Forums

[gsm]

I'm currently trialling WinGate for our company, and I have downloaded and installed the latest version (6.6.4 Build 1338).

I originally set up clients to access the web through the WinGate proxy, and that worked fine (both the clients and server are running XP Pro).

I then enabled authentication on the WWW Proxy using the Java login, and that seemed to be working also. However, I've now noticed that once I login with the Java login, I stay logged in until I reboot the client. I expected that when I either (a) closed the browser or (b) clicked 'Logoff' on the Java window, I would be disconnected and would have to login when I opened the browser again. This seems not to be the case - opening a new browser enables me to surf the web with no login!

I thought there may be some sort of "session timeout", and indeed I did find such a parameter. It was set to 10 mins (600 sec), but even an hour after logging out or closing the browser, I was able to reconnect to the web without re-authenticating. According to the WWW Proxy log file, I am being reconnected with the same user name as the original login.

So I'm at a bit of a loss ... am I missing some configuration parameter that I need to change, or am I misunderstanding how this is suppoed to work ? Any help would be much appreciated.

[adrien]

Hi

the default operation of WinGate in relation to this is:

a) when any connection from a client IP authenticates to WinGate, the established credentials are cached against the IP of the client.
b) any new connection from that IP gets the cached credentials established by the previous connection
c) only when all connections are closed do the cached credentials disappear (after 30 seconds). This shows up as the computer icon in the activity window in WinGate.

So, if you use the Java login to establish credentials for your IP with WinGate, and keep any other sort of connection open to WinGate from that IP, then the credentials will be maintained, and subsequent connections won't be required to auth.

Typically the way round this is to more aggressively time out connections.

When you log out of the Java client, it disconnects from WinGate's Remote Control Service, but any other (say) web sessions that are open need to be timed out.

Modern browsers maintain connections to servers and proxies for quite long periods nowadays (it wasn't always the case).

So you could try setting the WWW proxy server session timeout to something more like 60 or 30 seconds.

If this doesn't help, what connections are showing as open in GateKeeper for the clients?

Regards

Adrien

[gsm]

Thanks for your help adrien.

I shortened the WWW Proxy session timeout to 30sec, but that didn't resolve the issue.

As you suggested, I then had a look at the connections from this client to WInGate, and I found there were NAT: TCP connections related to Skype and LogMeIn, and a NAT: UDP connection related to voip (Firefly). I closed the Skype and Firefly applications, and stopped the LogMeIn service. These connections disappeared and sure enough, 30 seconds later, the authentication disappeared too. Now when I open up a browser, it requires re-authenication with the Java login, as long as 30sec have elapsed since logout.

So now my only question is this: Skype, LogMeIn etc all startup automatically and work without authentication but once the user has authenticated by opening a browser, these applications keep that authentication alive, even though they apparently don't need it. Is this correct ? Can this behaviour be altered ?

This will normally not be a problem as none of the machines in the real environment will have these applications. It was just unfortunate that my test client machine did have them installed.

I can live with things as they are, but I'd just like some understanding ...