Ask HN: Why isn’t HTTPS and Basic Auth as common as cookies?

7 points

8 years ago

I was considering which authentication method to use for a simple web front end of my application (which also provides a REST-ful API) and I cannot see any compelling reason why I should prefer form-based authentication w/ cookies over basic auth.

Someone asked on stackexchange “Is BASIC-Auth secure if done over HTTPS?” and the most upvoted answer is:

> There are a few issues with HTTP Basic Auth:

> 1. The password is sent over the wire in base64 encoding (which can be easily converted to plaintext).

> 2. The password is sent repeatedly, for each request. (Larger attack window)

> 3. The password is cached by the webbrowser, at a minimum for the length of the window / process. (Can be silently reused by any other request to the server, e.g. CSRF).

> 4. The password may be stored permanently in the browser, if the user requests. (Same as previous point, in addition might be stolen by another user on a shared machine).

None of his/her reasons seem compelling to me though. TLS protects the password on transmit so #1 is no longer a concern. I’m unsure what the attack scenario is with the #2 so I don’t know what a “larger attack window” really entails; MITM, replay attacks... (all of which TLS protects from)? Regarding #3, cookies are also susceptible to CSRF but unlike basic auth, there are methods to protect against that; though I cannot see how CSRF can cause any harm if GET is idempotent as intended (except wasted bandwidth maybe). Lastly, cookies are also stored in the browser for a very long time if the user requests so I don’t think #4 is really valid either.

I believe the most concerning/valid point of all is #3, and yet I still don’t think it’s something I need to worry about. Am I mistaken? Is there anything else that one should be aware of for the sake of security?

Thanks!

[1]: https://security.stackexchange.com/a/990

10 comments