2

I have installed the Apache HTTPD Server and its mod_authn_otp modules for authentication. Everything works fine.

However, there is one little problem. I am unable to "end" the user session. Upon reading the documents I came across how this can be done. The mod_authn_otp documentations says:

Logout

Since HTTP authentication is essentially stateless, there's no actual "login" process. Each HTTP request requires its own authentication. Similarly, there is also no "logout" process. In other words, there is no way for the user or the server to force a "logout" of the user's browser, because the browser is never "logged in". With mod_authn_otp, the "logout" happens exactly when the maximum linger time is reached.

Actually, in practice there is a way for the server to "logout" the user: by returning a 401 Unauthorized HTTP error code. This will cause the brower to "forget" the username/password pair that it has been using and prompt for a new one. However, this would have to be done at the script level (e.g., via PHP script). Also, this only "logs out" that user's browser. An attacker who was able to use the same one-time password from a different browser within the maximum linger time would still be able to get in.

Therefore, I just wrote a small bash script to return HTTP error as follows:

#/bin/bash
echo -e 'HTTP/1.0 401 Unauthorized'
echo -e 'WWW-Authenticate: Basic realm=\"mod_authn_otp\"’

However, when I call this script, it pops up the authentication prompt again and even if I give the correct details, the authentication fails. Also, the HTTP error page is not being redirected with this script. Please help.

Thanks in advance!

jtravaglini
  • 1,676
  • 11
  • 19
user900785
  • 423
  • 3
  • 14
  • 32
  • Why do you need to "end" the session? Is your linger time > 0? If so they recommend using SSL encrypted sessions anyway, which it doesn't seem like you're doing given the "Basic" authentication scheme. If linger = 0 then the OTP is valid only once and thus the session is already "ended". – jtravaglini Sep 18 '13 at 11:34
  • The problem is, once I authenticate myself in the pop up with my username and password, I get into (say) "welcome" page. Here I have a logout button so that it "forgets" my details. The script above implements this logout button by "forgetting my details" and showing me the authentication pop up box again. I have set my linger time to zero. But the error I get is: even when I enter the correct user details, the pop never authenticates me. Only when I close the browser and reopen can I authenticate myself through the pop up menu again! – user900785 Sep 18 '13 at 14:30

2 Answers2

0

Only when I close the browser and reopen can I authenticate myself through the pop up menu again

An attacker who was able to use the same one-time password from a different browser within the maximum linger time would still be able to get in.

Instead of sending the 401 request, try sending bad credentials:

Community
  • 1
  • 1
Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
0

When the client enters the correct credentials your script then returns a 401 making the client interpret them as incorrect. So it's working as you have designed, just not as you want.

There are JS hacks to get around it by sending an ajax request that fails auth and then a request with temp credentials that succeed but will fail your actual auth.

Otherwise you have to get around it by user training. Telling the user to close all instances of the browser down or to use "Cancel" on the log out page, then provide a link to the homepage to log back in.

Community
  • 1
  • 1
Matt
  • 68,711
  • 7
  • 155
  • 158