store.htaccess

BasicAuthenticationLogOutv1.
0June2002MavenSecurityConsulting,Inc.
POBox37635PMB50645Philadelphia,PA19101-0635http://www.
MavenSecurity.
comCopyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutIntroductionThispaperdescribeshowyoucouldclearHTTPBasicAuthenticationcredentialsfromabrowserwithoutrequiringtheusertoclosetheirbrowser.
ItshouldbenotedthattherearenoofficialHTTP/HTMLmechanismsforclearingusercredentialsfromauser'sbrowserwhenbasicauthenticationhasbeenused.
Therefore,themethoddescribedinthisdocumentisofferedasatechnicallyfeasiblesign-offmethod.
However,whetherthistechniqueis"user-friendly"andviableforlarge-scaleproductionsystemsisnotguaranteed.
Aswithanydesignchanges,performanceanduseracceptancetestingwillberequiredbeforedeployingintoproduction.
BackgroundWebbrowsersstoreBasicAuthenticationcredentialsinmemory.
Thecredentialsareassociatedwithaspecificwebsiteandrealmname.
Therealmnameisanarbitrarynamesetbythewebservertodefineaspecificareaofawebsite.
Thisisusefulifpartitioningasiteintodifferentareas.
Therealmnameisshowntotheuserwhentheyarepromptedtoentertheirusernameandpassword.
Figure1-SamplePromptforBasicAuthentication.
htaccessForexample,torestrictaccessforthedirectory/~christoonlytheuserChris,youcouldusea.
htaccessfile(forApache).
2Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutThe.
htaccessfilewouldlooksomethinglikethis:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserChrisLater,ifyouwantedtoclearChris'nameandpasswordfromthebrowser,youwillneedtocreatetwo"Logout"linksinseries(i.
e.
thefirstlinkleadstoapagethatcontainsthesecondlink).
Thefirstwouldleadtoapagethatinstructedtheuser(e.
g.
Chris)toclickonthelinkbelow(thesecondandlast"Logout"link)andenter"EXIT"astheusernameandpasswordwhenprompted.
Explaintotheuserhowthiswilleraseovertherealcredentialsinthebrowser'smemory,makingitimpossibleforsomeonetostealthemfromthePCatalatertime.
(Alternatively,thispagecansimplyexplainthatthebrowserneedstobeshutdowncompletelyinordertoclearthecredentials.
Therefore,therestofthispaperismoot.
)Now,whentheuserclicksonthissecondlinkitshouldpointtoadirectory(let'scallit/LOGOUT)thathasthefollowing.
htaccessfile:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserEXITThebrowseronlytracksthecredentialsbysitenameandrealmname(bothofwhicharethesameasbefore-"UserArea"istherealmnameinthisexample).
Therefore,thisnew"sign-on"attempt(fortheusernamedEXIT)willwriteovertheoldcredentialsinthebrowser'smemory.
Sinceonlytheusercalled"EXIT"(withapasswordof"EXIT")is3Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOut4Copyright2002–MavenSecurity.
AllRightsReservedacceptabletoenterthisdirectory(/LOGOUT),thispreventsChris(oranyotheruser)fromaccidentallyenteringavalidaccountnameandpassword.
Thewebsitewouldcontinuetoprompttheuseruntiltheyenteredthecorrectusernameandpassword(i.
e.
EXIT/EXIT).
Thismethodrequiresthecreationofauserwiththename"EXIT"andthepasswordas"EXIT".
Theindex.
htmlfileforthe/LOGOUTdirectoryisthedocumentthatwillbeshowntotheuseraftertheyenter"EXIT"intheBasicauthenticationdialogbox.
Therefore,theindex.
htmlfilecouldcontainsomesortof"success"message,suchas"Youhavesuccessfullyclearedyourusernameandpasswordfrommemory–thanksforusingBasicAuthentication;-).
"Unfortunately,thismethodrequirestheusertotakeseveralsteps.
Ifthesiteenforcesalockoutmechanismtopreventbrute-forceattacks(anditshould),thiscouldcauseproblemsifsomeoneaccidentally(orintentionally)lockstheEXITuser.
Therefore,thelockoutmechanismfortheEXITusershouldnotbeenforced.
Unfortunately,iftheuserleavestheircomputerunattended,forgettingtologout,theredoesnotappeartobeanywaytoremotelycleartheHTTPBasicauthenticationcredentialsfromthebrowser.
JavaorJavaScriptcouldbeusedtoautomaticallyrequestthelogoutURL,butitcannotentertherequiredusernameandpassword(i.
e.
,EXIT)intothedialogboxinordertowriteoverthecachedcredentials.