Web User Interface: Authentication survives reboots, shutdowns/restarts, even re-installs

As long as the admin password is kept the same,
a running browser tab will keep its login credentials -
no matter if

• the system is rebooted
• the system is shutdown and restarted
• the system is installed onto another disk
• even an old version is re-installed

Any of these events should render the credentials “invalid”,
requiring a new login authentication.

In my case, for analysis pruposes, I re-installed an image from 2018-04, based upon cu119, to a different SSD in that system: just booted - and: voila!, was able to re-use the “surviving session”.

In (positive) contrast, as to be expected:

• during the login, .bashrc ensures that the user gets logged out automatically after some minutes of inactivity
• you may open a time-unlimited ssh connection at your responsibility - but ssh at least takes care this will not survive any of the above

Bug 12844 - Web User Interface: Authentication survives reboots, shutdowns, even re-installs

Hi,

for the sake of completeness: As @ms already wrote in #12844, this is not a bug, but the way HTTP basic authentication is designed. There is nothing we can change about that.

No offense, but if you are about to report security vulnerabilities, please verify that they actually are security vulnerabilities and the IPFire project is able to mitigate them. We have a lot on our plates these days, and alarmism does not help, especially if things turn out to be a false alarm further down the line.

Thanks, and best regards,
Peter Müller