On 25 February 2016 at 12:19, Jonathan Gazeley < Jonathan.Gazeley@bristol.ac.uk> wrote:
- whether they have been suspended for being naughty
This is the one which means we're reluctant to cache the vlan attribute between authentications. We want to be able to drop people into our "containment" vlan promptly when we get wind of abusive behaviour, and if we're caching the vlan itself they won't get put in the new vlan until the cache entry expires. To make the decision about whether or not the user needs to be "contained" we need their actual username (ie from the inner) and not whatever they happen to tell us their username is in the outer. Which is when we have a "resumed" session which doesn't run the inner (because it's being resumed from the tls cache) we're failing to do the right vlan calculations. Does that make more sense? -Paul -- ---------------------------------------------------------------------- Paul Seward, Senior Systems Administrator, University of Bristol Paul.Seward@bristol.ac.uk +44 (0)117 39 41148 GPG Key ID: E24DA8A2 GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2