Why You Should Disable the Popup Login Box
Written 02 Feb 2011
HTTP Basic Authentication does not provide, nor support, a means of logging out of the session.
Once you login to a site using HTTP Basic Authentication, your session token is retained by the browser until you close the browser. FireFox and IE provide a means of clearing this token, but the means is a hack and fragile. Webkit-based browsers such as Google Chrome, and Apple Safari, do not provide such a means. Using the cPanel software as an example, consider this scenario:
- You login to your cPanel site at https://example.com:2083
- HTTP Basic Authentication is used to authenticate with cPanel
- After your management session, you click the Logout Button
- You visit various other websites throughout the day
- You return to https://example.com:2083 and are immediately take to the main cPanel interface
The above is possible because of the lack of logout functionality. Now, why should you or I care? One phrase: Cross-site Request Forgery (XSRF). Because the session token is retained by the browser until the browser is closed, it is possible for malicious users to access that token and accomplish things you don't intend. Consider this article as an example. Don't get me wrong, cookie based authentication is no guarantee a web application is proofed against XSRF. With cookie based logins it is possible to clear out the authenticated tokens and cleanup the session. Not so with HTTP Basic Authentication. It is for this reason cPanel recommends disabling HTTP Basic Authentication with cPanel & WHM. HTTP Basic Authenticatio? Please, don't use it.