I am using HTTP Basic Auth to authenticate the user. Once authenticated, I set req.session.loggedIn = true on the server-side. If a user makes requests after being logged in, for security purposes, should I just check the session loggedIn value or send the basic auth header on each request and then verify credentials on each request on my backend?
Asked
Active
Viewed 480 times
0
-
3More information is needed. What language/framework is this? Is it setting a cookie when the user becomes logged in? – multithr3at3d Sep 24 '20 at 17:02
-
2If you're using basic HTTP authentication, then there may not be any need for you to use cookies in addition to basic HTTP auth. The browser will send the basic auth headers on every request to your site during the user's session, – mti2935 Sep 24 '20 at 17:57
2 Answers
2
As mti2935 mentions, the Basic Auth header is automatically sent by the browser with every request. That means setting a session cookie is redundant.
However, usage of HTTP Basic Auth should be discouraged, as is discussed in this answer.
-
1+1. In addition to the points made in the thread referenced in the answer, HTTP Basic Authentication was not designed to provide a method for logging the user out. See https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication – mti2935 Sep 25 '20 at 12:32
0
If your variable, req.session.loggedIn is client-side controllable, then you have a gaping authentication flaw.
Assuming that is the case -- you need to generate a unique session ID after successful login. When a user requests a page, you will check if the session ID is valid.
It's worth noting: we want to reduce transmittance of credentials wherever possible. Generally speaking, session ID usually less valuable than credentials.
Saustin
- 311
- 1
- 10