Adventures As Me


Why You Should Disable the Popup Login Box

Written 02 Feb 2011

Long, long ago, there was only one way to authenticate users on a website: HTTP Basic Authentication (oh sure, there was later Digest Authentication, but few people used it). And then Cookies were invented, and the web was yummy. Only it wasn't, because cookies had privacy concerns along for the ride; and still do. But, cookie-based login methods began to be used, and quickly out paced the older (and by many, considered uglier) Basic Authentication method. Now it's trivial to use cookie-based authentication and authorization when creating a web application. To the point web application developers don't even have to think about adding it to their application. Most frameworks and libraries provide it out of the box. However Basic Authentication continues to be used. And, oddly, still preferred by some (hopefully the slim, tiniest of minorities). Let me provide one reason you should disable, and desist using, HTTP Basic Authentication:

HTTP Basic Authentication does not provide, nor support, a means of logging out of the session.

Once you login to a site using HTTP Basic Authentication, your session token is retained by the browser until you close the browser. FireFox and IE provide a means of clearing this token, but the means is a hack and fragile. Webkit-based browsers such as Google Chrome, and Apple Safari, do not provide such a means. Using the cPanel software as an example, consider this scenario:

  • You login to your cPanel site at https://example.com:2083
  • HTTP Basic Authentication is used to authenticate with cPanel
  • After your management session, you click the Logout Button
  • You visit various other websites throughout the day
  • You return to https://example.com:2083 and are immediately take to the main cPanel interface

The above is possible because of the lack of logout functionality. Now, why should you or I care? One phrase: Cross-site Request Forgery (XSRF). Because the session token is retained by the browser until the browser is closed, it is possible for malicious users to access that token and accomplish things you don't intend. Consider this article as an example. Don't get me wrong, cookie based authentication is no guarantee a web application is proofed against XSRF. With cookie based logins it is possible to clear out the authenticated tokens and cleanup the session. Not so with HTTP Basic Authentication. It is for this reason cPanel recommends disabling HTTP Basic Authentication with cPanel & WHM. HTTP Basic Authenticatio? Please, don't use it.

Related Posts