[security] Web - Logout does not really logout
nathanael-h opened this issue · 6 comments
Hello,
I have basic and OIDC auth on 2 different servers. I noticed that on Basic auth if I login, then logout, then click again on Basic I do not have to enter credentials again. For me it is a security issue. I think that if a user using basic auth click on logout, then when someone click to login with basic auth it must ask for id and pwd.
Issue seen on version 0.6 and 0.7.
Yeah I've encountered it myself already. Without investigation yet, I believe it is the browser which caches the basic auth credentials, and we somehow need to tell it to forget them.
Well that doesn't sound good :/
HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.[3] Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[4]
https://en.wikipedia.org/wiki/Basic_access_authentication
So I guess the primary answer is not to use basic auth if you require this level of security and have no other means to avoid other persons accessing your browser.
But I'm also going to look for another software-side solution, shouldn't this be a common problem? (but maybe nobody else uses Basic Auth anymore)
I thought it was using a cookie, because when I erase "data and cookies from this site" and I reload the page I am logged out (on Firefox Linux)
After your browser sends the basic auth credentials the sever does indeed return a session cookie.
Logging out does also reset this cookie (for any authentication method), that's why it'll prompt you to login again when trying to visit any page.
But when you click on the basic auth sign-in button again, your browser passes the cached credentials automatically.
Clearing website data/cookies does get rid of the basic auth data in Firefox and the session cookie, that's why you are immediately logged out and it can not automatically log in again when you hit the button.
Now I've looked around for ways to clear the data from the browser, but there does not seem to be a stable method.
Doing an XHR request with invalid credentials to force a 401 response might be the most stable one currently: https://stackoverflow.com/questions/4163122/http-basic-authentication-log-out
I'm not looking forward to implementing this...
I'm thinking whether we should add an alternative "simple auth" mechanism, which shows a login page for username and password and sends them via POST instead. Given that we already use session cookies this would only change the way the initial credentials are transmitted.
But it would solve the problem of the browser caching the credentials, and resetting the session cookie on logout would suffice again.
Hello, I read a little about Basic auth logout issues. Indeed it is not easy to solve, sorry for the noise about this. Thanks also for your explanations.
Your suggestion to replace this auth mecanism by a "simple auth" that send credentials via POST and uses cookies seems a lot more reliable. So it would be a nice improvement espacially for the people who do not use another auth backend.
On my side, I will probably go on with only OIDC as it works well.
One more thing, I won't be able to contribute such feature (no go skill).
Do we have to keep this issue open?
No worries, I'm already working on it: https://github.com/DasSkelett/wg-access-server/tree/feature/simple-auth
Let's keep the issue open to track it, I'll close it with the PR.