Content that should be protected is served without authentication intermittently

Our website hosting is with a shared hosting provider. The only configuration we can make is through .htaccess files, we can’t touch the apache configuration files that are sourced when apache first starts.

The website root directory is public_html/. We have some content that should only be accessible to members, and this content is all kept under public_html/members_only/ files and subdirectories. Members have a username/password to authenticate when they want to get to the members-only portion of the site. The public_html/members_only/.htaccess file is fairly simple as follows:

AuthUserFile /path/to/.htpasswd AuthType Basic AuthName "Password Protected" Options -Indexes AuthGroupFile /dev/null <RequireAll>     Require valid-user     Require method GET POST HEAD </RequireAll> 

When a particular file public_html/members_only/auto/xyz.pdf is requested in the browser the expected 401 status is returned, the browser prompts the user for their credentials and, if correctly entered, the request is sent again and the file is served. This is as expected. The problem is that when any other user who has not authenticated subsequently requests this same file, it’s served to them without authentication, at least for a while. Then, after some interval, the next request is only satisfied if the user is authenticated.

Just to be sure I’m not experiencing some kind of browser caching confusion I have verified this behavior using curl -D headers https://<my website>/members_only/auto/xyz.pdf and examined the headers file.

I noticed another question that sounds very similar to my problem, but there were no answers. I am out of ideas at this point. I’ve tried tech support for the hosting provider (Endurance International Group), they are worse than useless.

Can’t turn off two-factor authentication using CLI

I got a new phone and didn’t save the recovery code. One day, when I tried to log in to the Heroku platform using my email and password, Heroku redirected to the https://verify.salesforce.com/v1/verify/ page and asked me to perform multi-factor authentication and enter verification code.

I can’t. So I find this documentation Recovering from lock-out

What I have tried:

  1. Contact the support account-lockout@heroku.com via email, ask them to disable my multi-factor authentication. I provided my login email and password to them. But they always reply to me like this:

Sorry, the email address you are using has not been recognized as a Heroku account.

Please log in and submit a ticket via help.heroku.com where we’ll be happy to help. If you are unable to log in, please send an email from your registered Heroku account.

If you do not have a Heroku account and need support, you can create an account in seconds.

We apologize for any inconvenience!

The Heroku Team https://heroku.com

  1. The documentation said:

If you have a valid CLI session on your computer, you can use the CLI to turn off two-factor authentication with the command heroku 2fa:disable. Here too, you will be asked for your password.

So I tried to disable multi-factor authentication using heroku CLI.

☁  heroku 2fa:disable (node:42222) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. Disabling 2fa on novaline@aliyun.com... ? Password: ************ Disabling 2fa on novaline@aliyun.com... done 

Looks like it worked. But when I tried to log in to the Heroku platform again, it still redirected me to the multi-factor authentication page – https://verify.salesforce.com/v1/verify/

Am I the only one with this problem?

DB2 Linux authentication fails

I have DB2 Express-C v10.5 instance configured to authenticate against LDAP. The LDAP sever is going to be shutdown and I should configure the same DB2 instance to use Linux authentication.

I copied users from the LDAP  server to a local Linux host running DB2. Then I did shutdown the LDAP server. After that I changed DB2 authentication settings db2 update dbm cfg using SRVCON_PW_PLUGIN IBMOSauthserver (used to be IBMLDAPauthserver before) and restarted DB2.

Applications access the database with the username db2smth (name changed due to privacy reasons). I can connect to a database with db2 connect to dbname user db2inst1 using '********' but connecting to the same database as db2smth fails:

db2 => connect to dbname user db2smth using '********'  SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR PASSWORD INVALID"). SQLSTATE=08001 

su - db2smth and su - db2inst1 works fine which means that Linux authentication works fine.

How can I diagnose what’s wrong with the authentication?

WordPress Product Authentication

Is there any plugins or any option available in WordPress for check authentication of products quality. I’m selling physical products.So prevent any local (duplicate) products.

We put scratch card within box, buyer will scratch a card and number will appear then buyer wi open our website and submit number then a message will appear "thanks for buy this a genuine product" or any context could be. So this is the process, any plugins or anything else possible for do this..

Does Two Factor Authentication (2FA) prevent Phishing and/or Man-in-the-Middle (MITM) attacks?

While 2FA is clearly an improvement over only a single factor, is there anything which prevents an adversary presenting a convincing sign-in page which captures both factors?

I realise that technically a MITM attack is different to a Phishing attack, though at a high level they’re very similar — the user is inputting their credentials into an attacker-controlled page and the attacker can then input the credentials onwards into the real page.

Are hardware security keys (e.g ones supporting Fido2) “able to protect authentication” even in case of compromised devices?

Correct me if I am wrong, please.

I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc..

However, if the 2FA device is compromised (full system control) which can also be the very same device then 2FA is broken. It’s not as likely as opposed to only using a password but conceptually this is true.

Do hardware security keys protect against compromised devices? I read that the private key cannot be extracted from those devices. I think about protecting my ssh logins with a FIDO2 key. Taking ssh as an example, I would imagine that on a compromised device the ssh handshake and key exchange can be intercepted and the Fido2 key can be used for malicious things.

Additionally: Fido2 protects against phishing by storing the website it is setup to authenticate with. Does FIDO2 and openssh also additionally implement host key verification or doesn’t it matter because FIDO2 with openssh is already asymmetric encryption and thus not vulnerable to MitM attacks?

Authentication in Next.js application (SSR SPA with long sessions)

We’re currently developing a Next.js application (server side rendering) and are looking for secure ways to keep the users logged in for longer periods of time.

AFAIK this can either be done using silent authentication or refresh tokens. General note: When a user is not logged in yet, we can redirect the user to a login page. If the user enters their credentials, we use the Authorisation Code Grant (to my knowledge PKCE is not needed in this case as it’s all server side during these steps) that will redirect back and respond with an authorisation code. We can then exchange this authorisation code with an access token (and refresh token) using a client secret (all server side).

Refresh Tokens

Since any client side storage (local storage, cookies, etc.) is not safe (XSS attacks) for storing any kind of tokens (especially refresh tokens), we are wondering if it’s generally safe to store a refresh token (and access token) in a HTTP only cookie considering that…

  • … the token values are encrypted, e.g. AES, with a secret that is not exposed to the client side.
  • … the refresh tokens are rotating, so when you retrieve a new access token with your refresh token, you also receive a new refresh token. The old refresh token is invalidated and if used again, all refresh tokens are invalidated.
  • … the refresh token automatically expires after a couple of days, e.g. 7 days.

Silent Authentication

A possible alternative could be silent authentication via an auth request on the server side (prompt=none). The auth session for the silent authentication would also be stored in a HTTP only cookie.

In both scenarios, it’s probably necessary to make sure that the client doesn’t know about any of these tokens (You could potentially use silent authentication on the client side using an iframe (the domain is the same, just different subdomains) but the client would then potentially receive a new access tokens which has to be stored in memory (potential XSS vulnerability)).

Since it’s a server side rendered SPA, the client side still needs to be able to get new data from the API server using the access token. For this, we were thinking of using Next.js API routes as a proxy: So, if the client wants to get new data, it will send an AJAX request to the respective Next.js API route. The controller for this Next.js API route is able to read and decrypt the HTTP only cookie and can therefore send the request to the API server with a valid access token in the HTTP header. Just before the short lived access token expired, the controller would need to first send a request to the auth server to retrieve a new access (and refresh) token and then continue sending the request with the new access token to the API server.

While this sounds good and feasible in theory, we are wondering about the following points: 1.) Is it generally safe to save a (rotating) refresh and access token in a HTTP only cookie? Does the cookie value need to be encrypted or is that unnecessary? Does a rotating refresh token offer any additional security in this case? 2.) Is the “Next.js API route as a proxy” method a secure way to make sure that the client side can get new data from the API server? If e.g. otherdomain.com would try to send a request to the (“unprotected”) Next.js API route, it would not respond with any data as it’s a different domain and the HTTP only cookies therefore not accessible, correct? Is CSRF possible for these Next.js API routes? 3.) Is it safe if the HTTP only cookie for the refresh token is shared across all subdomains and not tied to one specific subdomain (application)? This would allow us to access the cookie from e.g. the actual website or other subdomains. 4.) Is the refresh token approach better / safer than the silent authentication approach?

Follow-Up question: Can the refresh token approach also be used the authenticate users in a browser extension? So:

1.) The user logs in (Authorisation Code Grant with PKCE): The login prompt/page is shown in a popup (or new tab) and the communication (authorisation code) is done through postMessage. 2.) The background script receives the authorisation code and exchanges it for an access token and rotating refresh token (which is probably necessary in this flow (?)) using the code and a code verifier. These tokens can then be saved in Chrome storage. We can potentially also encrypt the tokens but I’m not sure if that offers any additional protection (?) considering that the background script is not the same as a server. 3.) If the Chrome extension wants to receive data from the API server, it sends a message to the background script which will then send the API request using the tokens saved in Chrome storage.

B2B authentication best practices

I’m in the process of developing a B2B (business-to-business) application. I’ve implemented JWT auth, and it is working as expected. Right now the authentication functions as if it were a B2C (business-to-customer) app.

I’m trying to determine the best practices for B2B authentication.

Is having one authentication account bad practice in a B2B app? For example, every employee at Company A would use the same set of login credentials.