[vox-tech] Re: [vox] Semi-OT: HTML, HTTP, authentication, revocation of auth

Jeff Newmiller vox-tech@lists.lugod.org
Wed, 7 Aug 2002 11:51:17 -0700 (PDT) 

Take a look at http://sec.ure.org/apache_auth.shtml... mod_auth_tkt seems
to be just the ticket.

On Wed, 7 Aug 2002, ME wrote:

> 
> There is something with web browsers with HTTP  that has caused me to to
> wonder about authentication ever since the early days with Mosaic. It has
> bugged me, but never enough to really work at researching it - until now.
> 
> When you use the "standard" authentication
> (example, within apache, use of a .htaccess file with:
> AuthType Basic 
> AuthUserFile /path/to/a/password/file
> AuthName "special restricted directory"
> require valid-user 
> )
> 
> The client is required to authenticate before they may see the content of
> that dir. If they choose a valid user (one in the password "file" above
> that has a good password) then they are permitted to continue. However,
> their authentication is cached in the memory used by their local
> browser. While the browser is left running, any user using that browser
> session can walk through any other part of that site or posibly other
> similar sites without being prompted for a username and password again.
> 
> So here are my questions:
> Is it possible to write HTML that would be understood by all browsers to
> tell them to "forget" about all previous valid username/passwords
> (authentication)? (This may be a kind of META HTML, or non-standard that I
> don't know about.)
> 
> If there is no HTML, or Meta-HTML, is there something that can be done
> with JavaScript or Java to solve this? If you have experience with it, how
> consistent is enforcement of things like authentication timeouts, timed
> escrow, or ?
> 
> I have a particular section of web pages behind an SSL Service (https)
> where users authenticate to use WebDAV, change their passwords (cgi page),
> see the webalyzer reports, search the logs for certain hits with rDNS and
> jwhois on busy IPs, and check on the status of their web account space. In
> the case of the CGI for changing passwords, they are required to enter a
> password to get to the page (using the basic auth system but over SSL) and
> then the CGI also requires them to re-enter their username/password and
> compare the username entered with that of the auth session (ENV VAR) and
> the password after crypt/md5 hash (whichever is used) with that of what is
> stored in the password file. All of these checks are fine and good, but a
> user who has left a browser running with the basic auth still cached may
> permit a non-authorized user to view content within the priv user space.
> 
> I would like to include a timeout - where after that timeout is reached,
> the web browser is forced to "forget" the basic authentication and require
> the user to re-authenticate to view the page.
> 
> Surely, I know the user could just quit the web browser, and restart to
> eliminate the basic authentication cache (assuming they did not enable
> some additional password caching system.)
> 
> Also, the only risk AFAIK to my server is the loss of THEIR data (not
> mine) if they should forget to quit their web browser when they are done.
> 
> They also have been warned about using machines they dont trust (trojans,
> key sequence grabbers in hardware/wedge or software.)
> 
> Does anyone have other suggestions for ensuring revocation of user's prior
> successful authentication?
> 
> -- 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
> L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
> t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
> ------END GEEK CODE BLOCK------
> decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
> 

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------