[Owasp-ireland] Use of Basic Authentication

Fabio Cerullo fcerullo at owasp.org
Mon Jul 14 17:53:07 UTC 2014


Paul,

Thanks for your mail... great to see the mailing list with technical
discussions!

To my view, the only reasonable answer for new systems is not to use HTTP
Basic Authentication.

In cases where HTTP Basic Auth is already in place, here goes an article
with code included which works with the majority of browsers. It basically
relies on the user clicking a logout button and some javascript is executed
that will clear out the existing set of credentials.

*HTTPAuth Logout in Chrome, Firefox and IE with jQuery
<http://patabugen.co.uk/2013/12/09/httpauth-logout-in-chrome-firefox-and-ie-with-jquery/>*

Hope this helps.

Regards,
Fabio


On Mon, Jul 14, 2014 at 6:14 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Paul,
> This is from 2002 :)
> It is a hack which overwrites the basic auth header:
> https://www.mavensecurity.com/documents/BasicAuthLogOut.pdf
>
> Best to avoid the many pitfalls of Basic Auth id suggest but we don't
> always have such luxury :)
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 14 Jul 2014, at 17:40, Paul McCann <ismisepaul at gmail.com> wrote:
>
> Hey everyone,
>
> I've seen basic auth being used with various web application APIs e.g.
> REST calls as a quick and well supported way of creating a session with a
> server. OWASP takes the stance that its a weak method but is acceptable to
> use as long as every request containing the "Authentication: Basic
> <base64-string>" header is never sent over HTTP. However, there is another
> fundamental problem with basic auth in which OWASP doesn't address (a least
> I can't find it) and that is you cannot logout if you're using basic auth
> as it wasn't designed to manage logging out.
>
> The basic auth credentials are cached by the browser and cannot be cleared
> by an application's logout function. At least not consistently across
> browsers;
>
>    - IE - there's a javascript function
>    document.execCommand('ClearAuthenticationCache', 'false') (I haven't tested
>    this)
>    - Firefox - Manually clear your recent history, clear the active logins
>    - Chrome - no way to clear
>
>
> After reading into this I think under no circumstances should anyone make
> use of basic auth because its broken by design. The root of the problem
> coming from the HTTP specification:
> "Existing HTTP clients and user agents typically retain authentication
> information indefinitely. HTTP/1.1. does not provide a method for a server
> to direct clients to discard these cached credentials. This is a
> significant defect that requires further extensions to HTTP."
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
>
> Has anyone come across this problem? Is there an OWASP guide/best practice
> around logging out when using basic auth or some piece that states basic
> auth is broken and should never be used?
>
>
>
>
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20140714/7c54a169/attachment-0001.html>


More information about the Owasp-ireland mailing list