[Cryptography] Basic auth a bit too basic

John Levine johnl at iecc.com
Sat Feb 6 13:46:00 EST 2016


>Someone just pointed out an interesting problem with HTTP basic auth,
>published in 1999 as RFC 2617 and updated 15 years later as RFC 7617: It's an
>HTTP version of Hotel California, you can log in but you can never leave

This problem, known in North America as a "roach motel" has been well
known as long as I've been messing with web sites.

It would be technically straightforward for browsers to have a logout
button that forgets the auth credentials for the current page, or to
invent an HTML meta tag that tells browsers to forget auth credentials
for the current page's domain (give or take the same cross-domain
issues with cookies.)  The fact that nobody's done either suggests
that it's not a big problem in practice.

Also note that you can log out reliably by exiting and restarting your
browser, which is a pain but not that big a pain.

R's,
John


More information about the cryptography mailing list