0

I created REST webservice and secured it using HTTP Basic authentication.

It working fine, and asking for the username/password. But on second run (if browser still open) the webservice does not ask for username/password. If I close and reopen browser, it work as I wanted - asking to authentication.

I want webservice ask for username/password on every run (no matter if other web page is open or not).

Any idea what should I do?

Roxx
  • 3,738
  • 20
  • 92
  • 155
Saidamin Usmanov
  • 47
  • 5
  • 2
    Maybe your browser is caching credentials no ? – Blackus Jun 01 '15 at 14:39
  • 1
    This is probably nothing to worry about. With HTTP Basic, the client of your webservice has to authenticate every request using a username and password. Try testing your service using a REST client like Postman (instead of a browser) to see how it behaves. Like Blackus said, your browser is probably just caching the credentials, but that doesn't mean they don't get sent every time. – Steven Van Impe Jun 01 '15 at 14:45
  • you can write unit test cases to assure same.. – Akhil Jun 01 '15 at 15:12
  • If you move away from Basic Auth to some custom strategy the browser won't be able to "help" the user by autofilling the credentials. Perhaps passing the uname/pwd in a form field or custom header? – Neil Smithline Jun 01 '15 at 18:01

2 Answers2

0

There's no way around this: The browser will send the user/pw with every request until you close it.

gsl
  • 676
  • 5
  • 16
0

That's because the basic authentication scheme is an implicit authentication scheme.

Once authenticated, the browser will automatically include the credential on subsequent requests. The only way to prevent this is to open an anonymous session or close the browser. These authentication schemes are vulnerable to CSRF attacks.

There are other reasons to prefer other authentication schemes over basic authentication as I discuss in my answer here.

MvdD
  • 22,082
  • 8
  • 65
  • 93