Closed Bug 515651 Opened 15 years ago Closed 10 years ago

firefox sends old http basic auth credentials

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 137852

People

(Reporter: guille.rodriguez, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Under certain circumstances Firefox seems to be sending the wrong set of http
basic auth credentials. The problem happens in this scenario:

- First, the user successfully authenticates as userA/passA in order to access
http://host/pathA, auth realm "realmA"
- Then, the user successfully authenticates as userB/passB in order to access
http://host/pathB, auth realm "realmB"
- Then, the user tries to access http://host/pathC. Firefox will try to authenticate using userA/passA (old credentials) instead of userB/passB


Reproducible: Always

Steps to Reproduce:
1. User tries to access http://host/pathA
2. Server responds with 401, identifies realm as "realmA"
3. Firefox prompts for user/password. User enters userA/passA
4. Firefox sends the correct credentials, server sends back the document

-> At this point, as per RFC 2617, Firefox should assume that any request URI in the form http://host/pathX is also under the protection space of realmA ("clients should assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge.")

5. User now tries to access http://host/pathB, which is configured for a
different protection realm
6. Firefox preemptively sends userA/passA. This is correct as stated above
7. Server responds with 401, identifies realm as "realmB"
8. Firefox prompts for user/password. User enters userB/passB
9. Firefox sends the correct credentials, server sends back the document

-> At this point, again, as per RFC 2617, Firefox should assume that any request URI in the form http://host/pathX is also under the protection space of realmB.

10. User tries to access http://host/pathC

Actual Results:  
Firefox preemptively sends userA/passA, which is old auth data.

Expected Results:  
Firefox should send userB/passB, which is the current auth data.

This is very similar to bug 512709, and probably related internally. However bug 512709 seems to be triggered by a POST request, while this is not the case for this bug. Also this bug is probably be easier to setup and reproduce, which is why I'm filing it as a new issue.
Blocks: 61681
This bug is still open and really annoying.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.