[Owasp-ireland] Use of Basic Authentication
eoin.keary at owasp.org
Mon Jul 14 17:08:42 UTC 2014
Is there a concept of a session in REST and therefore logging out?
REST is stateless and hence no session / Logout.
Owasp Global Board
+353 87 977 2988
On 14 Jul 2014, at 17:40, Paul McCann <ismisepaul at gmail.com> wrote:
> Hey everyone,
> I've seen basic auth being used with various web application APIs e.g. REST calls as a quick and well supported way of creating a session with a server. OWASP takes the stance that its a weak method but is acceptable to use as long as every request containing the "Authentication: Basic <base64-string>" header is never sent over HTTP. However, there is another fundamental problem with basic auth in which OWASP doesn't address (a least I can't find it) and that is you cannot logout if you're using basic auth as it wasn't designed to manage logging out.
> The basic auth credentials are cached by the browser and cannot be cleared by an application's logout function. At least not consistently across browsers;
> Firefox - Manually clear your recent history, clear the active logins
> Chrome - no way to clear
> After reading into this I think under no circumstances should anyone make use of basic auth because its broken by design. The root of the problem coming from the HTTP specification:
> "Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further extensions to HTTP." http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
> Has anyone come across this problem? Is there an OWASP guide/best practice around logging out when using basic auth or some piece that states basic auth is broken and should never be used?
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-ireland