l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2002 Aug 07 12:18

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Semi-OT: HTML, HTTP, authentication, revocation of auth
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Semi-OT: HTML, HTTP, authentication, revocation of auth




There is something with web browsers with HTTP  that has caused me to to
wonder about authentication ever since the early days with Mosaic. It has
bugged me, but never enough to really work at researching it - until now.

When you use the "standard" authentication
(example, within apache, use of a .htaccess file with:
AuthType Basic 
AuthUserFile /path/to/a/password/file
AuthName "special restricted directory"
require valid-user 
)

The client is required to authenticate before they may see the content of
that dir. If they choose a valid user (one in the password "file" above
that has a good password) then they are permitted to continue. However,
their authentication is cached in the memory used by their local
browser. While the browser is left running, any user using that browser
session can walk through any other part of that site or posibly other
similar sites without being prompted for a username and password again.

So here are my questions:
Is it possible to write HTML that would be understood by all browsers to
tell them to "forget" about all previous valid username/passwords
(authentication)? (This may be a kind of META HTML, or non-standard that I
don't know about.)

If there is no HTML, or Meta-HTML, is there something that can be done
with JavaScript or Java to solve this? If you have experience with it, how
consistent is enforcement of things like authentication timeouts, timed
escrow, or ?

I have a particular section of web pages behind an SSL Service (https)
where users authenticate to use WebDAV, change their passwords (cgi page),
see the webalyzer reports, search the logs for certain hits with rDNS and
jwhois on busy IPs, and check on the status of their web account space. In
the case of the CGI for changing passwords, they are required to enter a
password to get to the page (using the basic auth system but over SSL) and
then the CGI also requires them to re-enter their username/password and
compare the username entered with that of the auth session (ENV VAR) and
the password after crypt/md5 hash (whichever is used) with that of what is
stored in the password file. All of these checks are fine and good, but a
user who has left a browser running with the basic auth still cached may
permit a non-authorized user to view content within the priv user space.

I would like to include a timeout - where after that timeout is reached,
the web browser is forced to "forget" the basic authentication and require
the user to re-authenticate to view the page.

Surely, I know the user could just quit the web browser, and restart to
eliminate the basic authentication cache (assuming they did not enable
some additional password caching system.)

Also, the only risk AFAIK to my server is the loss of THEIR data (not
mine) if they should forget to quit their web browser when they are done.

They also have been warned about using machines they dont trust (trojans,
key sequence grabbers in hardware/wedge or software.)

Does anyone have other suggestions for ensuring revocation of user's prior
successful authentication?

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html

Attachment: pgp00001.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.