stackoom
  简体   繁体   中英

Apache mod_authn_otp and HTTP 401 error

 原文  2013-09-11 10:52:14       apache/ http/ basic-authentication

Question

I have installed the Apache HTTPD Server and its mod_authn_otp modules for authentication. Everything works fine.

However, there is one little problem. I am unable to "end" the user session. Upon reading the documents I came across how this can be done. The mod_authn_otp documentations says:

Logout

Since HTTP authentication is essentially stateless, there's no actual "login" process. Each HTTP request requires its own authentication. Similarly, there is also no "logout" process. In other words, there is no way for the user or the server to force a "logout" of the user's browser, because the browser is never "logged in". With mod_authn_otp, the "logout" happens exactly when the maximum linger time is reached.

Actually, in practice there is a way for the server to "logout" the user: by returning a 401 Unauthorized HTTP error code. This will cause the brower to "forget" the username/password pair that it has been using and prompt for a new one. However, this would have to be done at the script level (eg, via PHP script) . Also, this only "logs out" that user's browser. An attacker who was able to use the same one-time password from a different browser within the maximum linger time would still be able to get in.

Therefore, I just wrote a small bash script to return HTTP error as follows: 

#/bin/bash
echo -e 'HTTP/1.0 401 Unauthorized'
echo -e 'WWW-Authenticate: Basic realm=\"mod_authn_otp\"’

However, when I call this script, it pops up the authentication prompt again and even if I give the correct details, the authentication fails. Also, the HTTP error page is not being redirected with this script. Please help.

Thanks in advance!

2 answers

solution1
 0 ACCPTED  

Only when I close the browser and reopen can I authenticate myself through the pop up menu again

An attacker who was able to use the same one-time password from a different browser within the maximum linger time would still be able to get in.

Instead of sending the 401 request, try sending bad credentials:

solution2
 0  2013-09-25 11:17:42

When the client enters the correct credentials your script then returns a 401 making the client interpret them as incorrect. So it's working as you have designed, just not as you want.

There are JS hacks to get around it by sending an ajax request that fails auth and then a request with temp credentials that succeed but will fail your actual auth.

Otherwise you have to get around it by user training. Telling the user to close all instances of the browser down or to use "Cancel" on the log out page, then provide a link to the homepage to log back in.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What one-time-password devices are compatible with mod_authn_otp? Apache basic auth, mod_authn_dbd and password salt How to disable mod_authn_file in apache2 loaded modules Using “require group” with mod_authn_dbm in Apache HTTPD 2.4 Apache2 authentication with mod_authn_dbd and MySQL Apache authentication using MySQL via mod_authn_dbd fails Getting Apache 2.4 and mod_authn_dbd to work with a Wordpress user database Apache2 on Mac OSX: How to Get Shared Object Libs such as mod_authn_alias.so Get additional fields in environment variable from Apache mod_authn_dbd Apache HTTP Basic Auth - 401 error after supplying username and password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM