Closed Bug 576494 Opened 14 years ago Closed 13 years ago

Thunderbird asks for proxy password multiple / many times when viewing a single email

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 469117

People

(Reporter: mozilla, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3

Thunderbird asks for proxy password many times when viewing a single email that contains lots of remove content.

Lovefilm send me an email with many (>20) remote content pics etc. Many proxy password popups appear, all at the same time stacked up one behind the other.

If I enter it in one, cancel the next 20 odd one piece of remote content shows.
If I move to another email and then move back, all content is correctly displayed.



Reproducible: Always

Steps to Reproduce:
1. start TB
2. view a mail with multiple remote content parts
3. bang! many many proxy password popups
Actual Results:  
Too many proxy password popups

Expected Results:  
One proxy password popup

When content is fetched in parallel, the proxy password popup needs to be a singleton that all the threads wait on.
Does it also occur in Thunderbird 3.1 ?
Yes
Component: General → Security
QA Contact: general → thunderbird
This is not platform specific either - I'm getting it on 3.0.5 as supplied by Ubuntu 10.04

Very, very, very annoying when combined with bug 535103 (can't save proxy password). I find the quick solution is enter the details on the front prompt, then cancel all others, then view a different email and come back to the one that triggered the dialogs.
At my site, Thunderbird 3.1.2 (Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2) behaves exactly as described by the original poster.

Cave: Thunderbird displays an external HTML start page by default. This will mask the problem because the proxy password will already have been asked for when the message content is loaded. To reproduce the problem described above, you'll have to turn off the thunderbird start page in preferences.
Same here 

Version : Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2

SO      : Windows XP SP3

Proxy Server  : squid Version 2.6.STABLE21  (with authentication ,working fine with any browser)



Reproduce
1. configure proxy for thunderbird only for http

2. Send a mail with 2 image links 

3. open email with 2 image links on  thunderbird :  asked for user and password for each link, but after that you can open any email without thunderbird asking for authentication.

4. closed thunderbird and send a new email with 3 image links

5. open email with 3 image links on thunderbird:  it asked for user and password 3 times. after that any email with links opened normally

(clean thunderbird cache if are opening the same email)

so the problem seems to happen only with the first email with links



I am using thunderbird in a enterprise environment, so this feature its really important. Any help would be appreciated .

thanks
This behavior is probably due to TB "fetching" all HTTP HREF's at once (it doesn't realize that authentication will be required).  Having a start page that would require authentication would seem to be a reasonable workaround.  The only solution, otherwise, would be to serialize the HTTP requests (which would be _horrid_ for performance), or somehow check for additional pending password requests when password for the first request is entered, cancelling the pending requests password requests and reissuing the HTTP GETs with the given authentication credentials -- if the reason for the pending password requests was a "407 Proxy Authentication Required" response.
I disagree with a start page solution - naff.

Other products don't have the same problem. MSIE will perform simultaneous GETs for the same page but only ask for the proxy password once.

Don't serialise the GETs just serialise the 'get proxy credentials' call.

This means that if 10 GETs on the same email want a proxy password, the first one pops up the dialog, and the remaining 9 are blocked (i.e. waiting). Once the user enters the password, the remaining 9 calls for proxy credentials succeed with the cached results from the single entered password, and their GETs with credentials are reissued.
Has anyone checked what Firefox does if you have a page NOT requireing proxy auth which then loads multiple images or similar that DO require auth?

I know Firefox prompts multiple times if you load a bunch of tabs that require auth. But at least it allows saving the credentials.
(In reply to comment #8)
> [...] Don't serialise the GETs just serialise the 'get proxy credentials' call.
> 
> This means that if 10 GETs on the same email want a proxy password, the first
> one pops up the dialog, and the remaining 9 are blocked (i.e. waiting). 

You don't know you need proxy credentials until you get the "407" response.  I believe what you want is what I suggested in the "or somehow...." part of Comment #7.

(In reply to comment #9)
> Has anyone checked what Firefox does if you have a page NOT requireing proxy
> auth which then loads multiple images or similar that DO require auth?

This would be worthwhile investigating and/or asking of the FF developers.

> I know Firefox prompts multiple times if you load a bunch of tabs that require
> auth. But at least it allows saving the credentials.

So does TB, once it's received them from the user.  The problem is that multiple links will cause multiple "407" responses, and (currently) multiple password prompts; the 2nd (and subsequent) prompts are redundant and unnecessary.  I have NO familiarity with the code that issues the request, handles the "407" response, and does the prompting, so can't say how simple this would be to fix.
> You don't know you need proxy credentials until you get the "407" response.  I
> believe what you want is what I suggested in the "or somehow...." part of
> Comment #7.

I think I was suggesting an approach for the 'or somehow' that doesn't require a 'start page' to exercise the proxy.

This looks like the code in question.
I'm not a cpp hacker, so these are shallow guesses.

  comm-1.9.2/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp

  sub ProcessResponse line 1070
    case 407:
        rv = ProcessAuthentication(httpStatus);

  sub ProcessAuthentication line 3169
    // create a cache entry.  we do this even though we don't yet know that
    // these credentials are valid b/c we need to avoid prompting the user
    // more than once in case the credentials are valid.
  so they already thought of this...

  sub ProcessAuthentication line 3223
    rv = GetCredentials(challenges, mProxyAuth, creds);
    if (rv == NS_ERROR_IN_PROGRESS)  {
        // authentication prompt has been invoked and result
        // is expected asynchronously
        mAuthRetryPending = PR_TRUE;
  so GetCredentials can return NS_ERROR_IN_PROGRESS...

  sub GetCredentials line 3367
            rv = GetCredentialsForChallenge(challenge.get(), authType.get(),
                                            proxyAuth, auth, creds);
            ...
            else if (rv == NS_ERROR_IN_PROGRESS) {
                // authentication prompt has been invoked and result is
                // expected asynchronously, save current challenge being
                // processed and all remaining challenges to use later in
                // OnAuthAvailable and now immediately return
                mCurrentChallenge = challenge;
                mRemainingChallenges = eol ? eol+1 : nsnull;
                return rv;
            }
  looks good so far...

  sub GetCredentialsForChallenge line 3555
            // at this point we are forced to interact with the user to get
            // their username and password for this domain.
            rv = PromptForIdentity(level, proxyAuth, realm.get(), 

  and PromptForIdentity sets rv to NS_ERROR_IN_PROGRESS

  but back in sub GetCredentialsForChallenge at line 3589 
    rv from PromptForIdentity is overwritten by a call to GenCredsAndSetEntry which returns 
      rv = authCache->SetAuthEntry(scheme, host, port, directory, realm,


So my shallow guess is that the code around 3589 has to change to prevent losing the RV from PromptForIdentity.


> > Has anyone checked what Firefox does if you have a page NOT requireing proxy
> > auth which then loads multiple images or similar that DO require auth?
> 
> This would be worthwhile investigating and/or asking of the FF developers.
> 

Surely no need to ask the FF developers for this one. Visit a page with 10 images (fetched in parallel remember!) before you put in your password... Wahey, just one prompt.
(In reply to comment #11)
> > You don't know you need proxy credentials until you get the "407" response.  I
> > believe what you want is what I suggested in the "or somehow...." part of
> > Comment #7.
> 
> I think I was suggesting an approach for the 'or somehow' that doesn't require
> a 'start page' to exercise the proxy.
> 
> This looks like the code in question.
> I'm not a cpp hacker, so these are shallow guesses.
> 
>   comm-1.9.2/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
[snip]
> So my shallow guess is that the code around 3589 has to change to prevent
> losing the RV from PromptForIdentity.

So how would you feel about submitting a patch ?


> > > Has anyone checked what Firefox does if you have a page NOT requireing proxy
> > > auth which then loads multiple images or similar that DO require auth?
> > 
> > This would be worthwhile investigating and/or asking of the FF developers.
> > 
> 
> Surely no need to ask the FF developers for this one. Visit a page with 10
> images (fetched in parallel remember!) before you put in your password...
> Wahey, just one prompt.

see bug 318253 and you'll see that you can get the same issue in FF.
(In reply to comment #11)

> > > Has anyone checked what Firefox does if you have a page NOT requireing proxy
> > > auth which then loads multiple images or similar that DO require auth?
> > 
> > This would be worthwhile investigating and/or asking of the FF developers.
> > 
> 
> Surely no need to ask the FF developers for this one. Visit a page with 10
> images (fetched in parallel remember!) before you put in your password...
> Wahey, just one prompt.

Well, Firefox up to 3.5.x had a problem with opening a browsing session with multiple tabs open. It would ask for proxy authentication for at least every tab. This has been fixed in 3.6.x. So I think it might indeed be worthwhile to investigate whether the problem in Firefox came from the same mechanism or even source code inside and if so, how it was fixed.
I am not sure whether the developers really understand what this bug means:

From a user perspective this bug is a show-stopper in any productive environment.

If the the user is not a technic-addicted geek, this more-than-annoying issue is absolutely not acceptable and the responsible supporter for deploying software will kicked in a** until he offers an alternative.

Please take this one as seriously as it is and fix it: This IS a show stopper for everyone behind a authenticating proxy.
Aint this a dupe of 469117 ??
(In reply to comment #15)
> Aint this a dupe of 469117 ??

Indeed thanks for spotting it.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.