Closed Bug 459882 Opened 16 years ago Closed 16 years ago

Able to access https://www-trunk.stage.mozilla.com/en-US/firefox/3.1b1/firstrun/ without entering user name and password

Categories

(mozilla.org Graveyard :: Server Operations, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: marcia, Assigned: xb95)

References

()

Details

While testing the first run and release notes pages, I noticed that it is possible to access these pages without entering a PW.

STR:

1. Visit https://www-trunk.stage.mozilla.com/en-US/firefox/3.1b1/firstrun/
2. When authentication dialog comes up, keep canceling out.
3. After 5-7 times, I can see almost all of the content on the page, except the jet fighter.

Expected: I would not be able to see the site at all unless I enter my credentials.
I saw this the other day, too, but I forgot to file a bug.
Component: Server Operations: Security → Server Operations
OS: Mac OS X → All
Hardware: PC → All
I'm not sure how you're seeing this.  The configuration is correct (Require valid-user) and in my testing it's doing the right thing.  I'm unable to reproduce this problem.

Are you sure your credentials aren't saved in your keychain?  Maybe hitting cancel means you aren't retyping them and your browser submits them anyway?

Not sure how you're going to be seeing this, and not sure what I can do to fix it.  Can you confirm that this is repeatable and not a fluke occurrence?  Can you confirm this in another browser (fire up Safari/IE and try it)?

If you give me good reproduction steps I can try to fix this.
Assignee: server-ops → mark
Status: NEW → ASSIGNED
(In reply to comment #2)
> I'm not sure how you're seeing this.  The configuration is correct (Require
> valid-user) and in my testing it's doing the right thing.  I'm unable to
> reproduce this problem.

This isn't a "new" problem. We've had this happen before in the past (bug 408388, bug 389874, bug 357557), and it was hard to reproduce then, too. :/

> Are you sure your credentials aren't saved in your keychain?  Maybe hitting
> cancel means you aren't retyping them and your browser submits them anyway?

I don't save my LDAP info in password manager.
Well, I added the Cache-Control: private header, as per oremj's original solution.  Please let me know if you see this behavior still!
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.