02-07-2009 01:35 AM - edited 02-07-2009 01:48 AM
The MDS Simulator and BES implementation out there are caching basic authentication credentials and using them for future requests to our server, even when the client specifically changes the credentials in the request.
As seen on:
As discussed in the previous section, MDS supports a variety of authentication schemes. In the situation where authentication is required, MDS will cache user credentials after a user is prompted for a username and password. The next time that user logs into the server and is challenged for a username and password, MDS will automatically authenticate the user with the cached credentials, removing the need for them to re-enter their credentials each time.
This is causing us a lot of issues because we require different credentials for different operations. We have tried setting the cahce-control directive on the requests to no-store, no-cache, must-revalidate however the MDS seems to ignore these directives.
Is there a directive we can use on the connection string or in the HTTP header that will prevent the MDS from using the cached credentials?
Solved! Go to Solution.
02-07-2009 03:03 PM - edited 02-07-2009 03:05 PM
Thanks for the suggestion, I should have mentioned that we had tried this already as well.
Here are the headers we set on the authenticated request. the base64_crendentials can change from call to call, but the MDS server is always passing the first set of crendentials passed to the server, which is not quite the correct behavior.
c.setRequestProperty("If-Modified-Since", "29 Oct 1999 19:43:31 GMT");
c.setRequestProperty("Content-Type", "text/xml; charset=utf-8");
c.setRequestProperty("Cache-Control", "no-store, no-cache, must-revalidate");
This actually has other security concerns as well, as if a user attempts to log out of our applications, next time some one logs in from that device, it could be using the original users credentials and allow access to data they should not be able to see.
There must be a way to invalidate the cached credentials on the MDS server... If there is not, we may have to re-architect a special authorization method just for BES users, which is an awful lot of overhead to work around NON-Standard behavior in a proxy.
I would have assumed that when the MDS server saw a NEW set of credentials for a domain it should update its cached version to the new credentials.
02-11-2009 10:30 AM
02-13-2009 02:48 AM - edited 02-13-2009 02:49 AM
Thanks, but we do not have control over our users BES servers, so that is not a viable option.
We have found that using an HTTPS connection seems to resolve this issue but it is rather annoying that we have to have the overhead on both client and server to use HTTPS connections.
The BES/MDS servers should obey cacheing headers in the HTTP requests. At a minimum it should realize that the credentials need to be updated when a new set is sent to it from the client and not blindly use old credentials.
Caching credentials like this also make it difficult on some sites (not many these days use Basic Auth, but some do) to have multiple accounts since you cant change your credentials.
02-16-2012 06:19 AM
I am having the same problem with the Cache Credientials on MDS. You mentioned the http cache can be controlled via the BES. Where abouts are those settings? and is it in a particular version of BES?