Logging out of HTTP Authentication with Firefox

Firefox has a very annoying “feature” – it remembers any HTTP authentication tokens for as long as Firefox remains open. Any by “open”, I mean “the browser is running”, not “the tab/window is open”.

Why is this bad? For several reasons. One, it makes cross-site scripting attacks easier. Once you login to a web site that uses HTTP authentication, you’ll stay logged in. If you leave Firefox running for days, you’re vulnerable for days.

Two, suppose you want to login to the same site with different credentials. Perhaps you have both an admin account and a regular user account, and you want to switch between them. Or perhaps you are setting up a site and need to test another user’s login. The only way to do this with Firefox now (as of 3.0.13) is to completely quit the browser and restart.

Enter: the Web Developer extension. This is a great extension, but it has far more features than you’re likely to need. On the other hand, it is great for dissecting web sites, viewing table borders, and eliminating annoying CSS themes. And it has a way to clear HTTP authentication tokens.

Install the extension. If you prefer, hide the “Web Developer” tool bar. Now to log out of HTTP auth, navigate through the menus Tools -> Web Developer -> Miscellaneous -> Clear Private Data -> HTTP Authentication.

Warning: basic HTTP authentication is not secure. Digest HTTP authentication is better. You should only use either of these with HTTPS, so your transport is encrypted end to end.

Update 2009-11-25: Since upgrading to Firefox 3.5, you no longer need this extension to log out of HTTP auth. As noted in the comments below, go to Tools -> Clear Recent History -> Details, check only “Active Logins”, and then press “Clear Now”.

Tags: ,

  1. Pik Master’s avatar

    Hi. In Firefox 3.5.* you can do that by going to Tools -> Clear Recent History -> Details and checking “Active Logins”. If you clear it, close the tab and open it again, it will clear your HTTP auth session.

    Reply

  2. tyler’s avatar

    Pik,

    Indeed you can! In fact, since moving to Firefox 3.5 I have disabled this plugin.

    Reply

    1. Tyler Wagner’s avatar

      Works in both Chrome and Firefox, for sites using HTTP auth. Thanks.

      Reply

    2. commenter’s avatar

      While using private browsing mode, “Clear Recent History” does not appear to be available. The Web Developer add-on technique still works though — at least in Firefox 12.0.

      Reply

Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.