Re: Security considerations from RE-AUTHENTICATION-REQUESTED from Scott Lawrence on 1998-02-16 (ietf-http-wg@w3.org from January to March 1998)

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 16 Feb 1998 11:18:48 -0500
To: Jim Gettys <jg@pa.dec.com>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <199802161618.LAA00459@devnix.agranat.com>

  I've attempted to provide a more general discussion of the issue of
  cached credentials, appended below.

>>>>> "JG" == Jim Gettys <jg@pa.dec.com> writes:

JG> 15.6 Authentication Credentials and Idle Clients

JG> Existing HTTP clients and user agents typically retain authentication
JG> information indefinately. HTTP/1.1. does not provide a method for an origin
JG> server or proxy to force reauthentication. Since clients may be idle for
JG> extended periods between use (and unauthorized users may have access to
JG> the user agent during these idle periods), this is a significant defect
JG> that requires further extensions to HTTP. This is currently under separate
JG> study. For user agents, there are a number of work-arounds to parts of
JG> this problem, and we enourage the use of password protection in screen
JG> savers, idle time-outs, and other methods which mitigate the security
JG> problems inherent in this problem.

15.6 Caching Authentication Credentials

  Existing HTTP clients and user agents typically retain authentication
  information indefinately. HTTP/1.1. does not provide a method for a
  server to direct clients to dicard these cached credentials.  This is a
  significant defect that requires further extensions to HTTP.
  Circumstances under which this should be possible include but are not
  limited to:

    - Clients which have been idle for an extended period following which
      the server may wish to cause the client to reprompt the user for
      credentials.

    - Applications which include a session termination indication (such as
      a 'logout' or 'commit' button on a page) after which the server side
      of the application 'knows' that there is no further reason for the
      client to retain the credentials.

  This is currently under separate study.  For user agents, there are a
  number of work-arounds to parts of this problem, and we enourage the use
  of password protection in screen savers, idle time-outs, and other
  methods which mitigate the security problems inherent in this problem.
  In particular, user agents which cache credentials are encouraged to
  provide a readily accessible mechanism for discarding cached credentials
  under user control.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Received on Monday, 16 February 1998 08:49:31 UTC