I can't believe that there is not a work-around for this...
For example, if I can set up a file containing an ip address on each line /etc/squid/iplist.
And then I set up the squid.conf to have the following line:
acl authorisedip src "/etc/squid/iplist"
I can change the ERR_ACCESS_DENIED file to contain a form which calls a perl program (catchip.pl) passing it a username and password which, if correct, appends the user's ip to the /etc/squid/iplist file. (removing the IP when the user closes his browser would be trickier).
The problem is that any links in the ERR_ACCESS_DENIED file are appended to the original URL. So, if the user has requested the URL www.toyota.co.za
, the form in the ERR file will try to call http://www.toyota.co.za/cgi-bin/catchip.cgi
instead of the local cgi-bin/catchip.cgi.
I can't believe that this avenue has not been fully explored....