[Cryptography] Basic auth a bit too basic
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Feb 6 02:50:05 EST 2016
Someone just pointed out an interesting problem with HTTP basic auth,
published in 1999 as RFC 2617 and updated 15 years later as RFC 7617: It's an
HTTP version of Hotel California, you can log in but you can never leave
(Stackoverflow has various hacks to deal with this,
http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication/14329930#14329930,
most of them pretty hairy and not very portable).
Perhaps in 2030 when RFC 13,617 comes out, it could include some form of HTTP
extended auth that also allows you to log out.
And a general note to people designing auth protocols: You probably want to
include a mechanism to get the client to stop authenticating to the other side
as well.
Peter.
More information about the cryptography
mailing list