Closed
Bug 515651
Opened 15 years ago
Closed 10 years ago
firefox sends old http basic auth credentials
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 137852
People
(Reporter: guille.rodriguez, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Under certain circumstances Firefox seems to be sending the wrong set of http basic auth credentials. The problem happens in this scenario: - First, the user successfully authenticates as userA/passA in order to access http://host/pathA, auth realm "realmA" - Then, the user successfully authenticates as userB/passB in order to access http://host/pathB, auth realm "realmB" - Then, the user tries to access http://host/pathC. Firefox will try to authenticate using userA/passA (old credentials) instead of userB/passB Reproducible: Always Steps to Reproduce: 1. User tries to access http://host/pathA 2. Server responds with 401, identifies realm as "realmA" 3. Firefox prompts for user/password. User enters userA/passA 4. Firefox sends the correct credentials, server sends back the document -> At this point, as per RFC 2617, Firefox should assume that any request URI in the form http://host/pathX is also under the protection space of realmA ("clients should assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge.") 5. User now tries to access http://host/pathB, which is configured for a different protection realm 6. Firefox preemptively sends userA/passA. This is correct as stated above 7. Server responds with 401, identifies realm as "realmB" 8. Firefox prompts for user/password. User enters userB/passB 9. Firefox sends the correct credentials, server sends back the document -> At this point, again, as per RFC 2617, Firefox should assume that any request URI in the form http://host/pathX is also under the protection space of realmB. 10. User tries to access http://host/pathC Actual Results: Firefox preemptively sends userA/passA, which is old auth data. Expected Results: Firefox should send userB/passB, which is the current auth data. This is very similar to bug 512709, and probably related internally. However bug 512709 seems to be triggered by a POST request, while this is not the case for this bug. Also this bug is probably be easier to setup and reproduce, which is why I'm filing it as a new issue.
Updated•10 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•