[Owasp-ireland] Use of Basic Authentication

Paul McCann ismisepaul at gmail.com
Mon Jul 14 16:40:39 UTC 2014


Hey everyone,

I've seen basic auth being used with various web application APIs e.g. REST
calls as a quick and well supported way of creating a session with a
server. OWASP takes the stance that its a weak method but is acceptable to
use as long as every request containing the "Authentication: Basic
<base64-string>" header is never sent over HTTP. However, there is another
fundamental problem with basic auth in which OWASP doesn't address (a least
I can't find it) and that is you cannot logout if you're using basic auth
as it wasn't designed to manage logging out.

The basic auth credentials are cached by the browser and cannot be cleared
by an application's logout function. At least not consistently across
browsers;

   - IE - there's a javascript function
   document.execCommand('ClearAuthenticationCache', 'false') (I haven't tested
   this)
   - Firefox - Manually clear your recent history, clear the active logins
   - Chrome - no way to clear


After reading into this I think under no circumstances should anyone make
use of basic auth because its broken by design. The root of the problem
coming from the HTTP specification:
"Existing HTTP clients and user agents typically retain authentication
information indefinitely. HTTP/1.1. does not provide a method for a server
to direct clients to discard these cached credentials. This is a
significant defect that requires further extensions to HTTP."
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html

Has anyone come across this problem? Is there an OWASP guide/best practice
around logging out when using basic auth or some piece that states basic
auth is broken and should never be used?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20140714/4353c8cc/attachment.html>


More information about the Owasp-ireland mailing list