12844 – Web User Interface: Authentication survives reboots, shutdowns, even re-installs

Bug 12844 - Web User Interface: Authentication survives reboots, shutdowns, even re-installs

Summary: Web User Interface: Authentication survives reboots, shutdowns, even re-installs

Status:	CLOSED NOTABUG

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	x86_64 Unspecified

Importance:	- Unknown - Security
Assignee:	Assigned to nobody - feel free to grab it and work on it
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-11 16:15 UTC by Manfred Knick
Modified:	2022-04-11 16:16 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manfred Knick 2022-04-11 16:15:00 UTC

As long as the admin password is kept the same,
a running browser tab will keep its login credentials -
no matter if
- the system is rebooted
- the system is shutdown and restarted
- the system is installed onto another disk
- even an old version is re-installed

Any of these events should render the credentials "invalid",
requiring a new login authentication.

Comment 1 Michael Tremer 2022-04-11 16:16:25 UTC

This web user interface is using HTTP Basic authentication. The password will be transmitted to the web server with every request.

If you re-install your system and you use the same password, then requests will continue to work.

This is not a bug. It is designed like this.