[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: [m0n0wall] feature request
 Date:  Fri, 10 Dec 2004 11:08:40 -0500 
On Fri, 10 Dec 2004 02:45:06 -0700, Dave Warren
<maillist at devilsplayground dot net> wrote:
> Holger Bauer wrote:
> 
> >Netgear Routers have a logout-function, but I don´t know if this "logout" is really secure. I
only know, that you can´t manage the Router from another Ip-adress if there is someone logged in
already from somewhere else. I haven´t checked out, what happens, if I try to reconnect from the
same browser and machine after logging out. I have m0n0walls now everywhere, so it´s hard for me to
test now, but next time I get my hands on a netgear I´ll do a test. Maybe someone else who reads
this could test it.
> >
> >

Netgear and other boxes you see with a logout button don't use
straight HTTP auth, but rather some sort of forms-based
authentication, with cookies or something of that nature to track
session state.  I'm sure when you hit log out on those, it most likely
works as indicated.  You can't have a reliable log out button when
using HTTP auth, since that's a function of the browser, as Manuel
said.

From a complexity and security standpoint, we're much better off, IMO,
using HTTP auth rather than any sort of forms based authentication
because of the relative complexities of tracking session states.  When
using HTTP auth, your browser sends the username and password for
every page that you request, which is how it knows you're
authenticated (and also why your browser hangs onto that
username/password until you close it).  For forms-based auth, the
application must have a means to keep track of your session state, and
this is one of the common ways security vulnerabilities are introduced
in web based applications and management interfaces.


> One of the beautiful things about m0n0wall is that it doesn't have any
> idiotic "only one IP can admin at a time" restriction, doesn't rely on
> cookies or anything else like that.
> 
> HTTP AUTH was invented for a reason and I'd like to thank whoever made
> the decision (Manuel, I assume) for implementing it this way.
> 
> As far as logging out, close your browser window.  This is the only
> reliable method that works for all sites (unless the site happens to use
> non-transient cookies)
> 

Amen.

-Chris