Bug 12844

Summary: Web User Interface: Authentication survives reboots, shutdowns, even re-installs
Product: IPFire Reporter: Manfred Knick <Manfred.Knick>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: Security    
Priority: - Unknown - CC: michael.tremer
Version: 2   
Hardware: x86_64   
OS: Unspecified   

Description Manfred Knick 2022-04-11 16:15:00 UTC 
As long as the admin password is kept the same,
a running browser tab will keep its login credentials -
no matter if
- the system is rebooted
- the system is shutdown and restarted
- the system is installed onto another disk
- even an old version is re-installed

Any of these events should render the credentials "invalid",
requiring a new login authentication.
Comment 1 Michael Tremer 2022-04-11 16:16:25 UTC 
This web user interface is using HTTP Basic authentication. The password will be transmitted to the web server with every request.

If you re-install your system and you use the same password, then requests will continue to work.

This is not a bug. It is designed like this.