Quick Lesson: Chrome and Basic Auth

For years the internet has used HTTP auth for lots of things. Routers and many other infrastructure components have protected their admin panels with it, and countless admins have protected monitoring panels and other software that have no concept of users with http auth.

There are 2 varieties of HTTP auth, basic and digest. At one time digest would have afforded you a little protection from loosing your cleartext password, given the state of MD5 as an algorithm I wouldn't count on it. There are lots of ways that HTTP auth is vulnerable when sent via HTTP, HTTP auth over HTTPS is the only way to use HTTP auth with any legitimacy.

While looking at a small Apache issue for someone today there was a big surprise in the tail. Using Chrome 59 I wasn't being provided a log in prompt!

Was the configuration wrong? No that was right, I checked in other browsers and I got the prompt! What was going on? I tried closing and re-opening Chrome, still no prompt. It turns out that Chrome caches the credentials in a background service. A brief Google search later and hey presto, navigate to chrome://restart in the Chrome omibox this restarts Chrome and the backend services. The cache isn't preserved and you can test your login again.

Frustratingly there doesn't seem to be a way to disable the feature if your testing or paranoid.