[Owasp-ireland] Use of Basic Authentication

Eoin Keary eoin.keary at owasp.org
Mon Jul 14 17:08:42 UTC 2014


Hey there...
Is there a concept of a session in REST and therefore logging out?
REST is stateless and hence no session / Logout.


-ek


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 14 Jul 2014, at 17:40, Paul McCann <ismisepaul at gmail.com> wrote:

> Hey everyone,
> 
> I've seen basic auth being used with various web application APIs e.g. REST calls as a quick and well supported way of creating a session with a server. OWASP takes the stance that its a weak method but is acceptable to use as long as every request containing the "Authentication: Basic <base64-string>" header is never sent over HTTP. However, there is another fundamental problem with basic auth in which OWASP doesn't address (a least I can't find it) and that is you cannot logout if you're using basic auth as it wasn't designed to manage logging out.
> 
> The basic auth credentials are cached by the browser and cannot be cleared by an application's logout function. At least not consistently across browsers;
> IE - there's a javascript function document.execCommand('ClearAuthenticationCache', 'false') (I haven't tested this)
> Firefox - Manually clear your recent history, clear the active logins
> Chrome - no way to clear
> 
> After reading into this I think under no circumstances should anyone make use of basic auth because its broken by design. The root of the problem coming from the HTTP specification:
> "Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further extensions to HTTP." http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
> 
> Has anyone come across this problem? Is there an OWASP guide/best practice around logging out when using basic auth or some piece that states basic auth is broken and should never be used?
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20140714/6e4e933b/attachment.html>


More information about the Owasp-ireland mailing list