Open Bug 1203030 Opened 9 years ago Updated 1 year ago

Allow remove logged status for basic authentication site in Page Info

Categories

(Firefox :: Page Info Window, enhancement, P5)

Product:
Firefox
Component:
Page Info Window
Version:
38 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: u20230201, Unassigned)

References

(Depends on 1 open bug)

Details

Attachments

(3 files)

1-401-login-prompt.png
202.36 KB, image/png
Details
2-persistent-authorization-header.png
376.58 KB, image/png
Details
3-no-cookies.png
169.67 KB, image/png
Details 
User Agent: Mozilla/5.0 (X11; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 2014112600

Steps to reproduce:

Log in with some use password to some site using basic authentication. After authentication I found out it was the wrong user (the user was valid, but the service requires another user)


Actual results:

If I close and reopen the tab to log in newly, the old authentication data is reused, and there is no way to make Firefox forget it (except closing and reopening it with all tabs)


Expected results:

There should be a way to remove or change (maybe view also) existing authorization data for a page similar to viewing remembered passwords and cookies.
Severity: normal → enhancement
OS: Unspecified → All
Hardware: Unspecified → All
Version: 34 Branch → 38 Branch
Component: Untriaged → XUL
Product: Firefox → Core
Hi Ulrich,

We're going to need a bit more information. What website are you testing? Can you reproduce this issue in a newer version of Firefox?
Flags: needinfo?(Ulrich.Windl)
(In reply to Grover Wimberly IV from comment #1)
Well, it seems the browser is sending the authorization data it has cached somewhere whenever it is requested. Once the authentication succeeds, the application won't ask to re-authenticate, and there is no way to tell the browser to forget the cached authentication data (unless I missed some recent magic addition).
I can't remember the site I was using, but probably some primitive site like CUPS on localhost (https://localhost:631) will do: Authenticate as you (non-priviledged user). Authentication will succeed, but you are not allowed to change things (like adding a printer). From there on, you cannot change your authentication data.
Flags: needinfo?(Ulrich.Windl)
Component: XUL → Page Info Window
Depends on: 260839
Product: Core → Firefox
See Also: → 300002
Summary: Add context menu "remove/change authorization data" for "page info" → Allow remove logged status for basic authentication site in Page Info
I think you can use devtools to delete the http auth session cookie, but I agree that's a little hard to find.

It wouldn't be terrible to have something on the page info dialog to delete the current http auth session, but we have no plans currently to do anything here.
Priority: -- → P5
Hi, I was looking in to implementing a button in the page info dialog that would delete session cookies, but it looks like the nightly build already has a clear cookies button. Is there anything else that needs to be done in this case?
Severity: normal → S3

Hi there, I ran into this recently, so thought I'd provide some details.

Reproduction steps are straightforward if you can get your hands on a service using HTTP basic auth (from RFC 7617):

  1. make a request to a protected page. The server will respond with a 401 and a WWW-Authenticate header. This triggers the opening of the browser's native login prompt
  2. provide a valid username and password. These will be encoded to base64 and sent on all following request as the content of the Authorization header
  3. the Authorization is obviously persisted by the browser, but it is not in cookies (or in any other site storage that I could find). This makes it difficult for developers or users to log out (see this StackOverflow question, 335 upvotes at time of writing)

So to try and move this forward, let me attempt to answer some open questions above (I'm aware they are 4+ years old, apologies for this).

(In reply to Jeff Griffiths (:canuckistani) (:⚡︎) from comment #3)

I think you can use devtools to delete the http auth session cookie, but I
agree that's a little hard to find.

Not that I can see (I'm on Firefox 106). Or am I looking in the wrong place? I would expect this in the Storage tab, and it's definitely not there.

(In reply to Justin from comment #4)

it looks like the nightly build already
has a clear cookies button. Is there anything else that needs to be done in
this case?

Yes, something else needs to be done, because clearing cookies (tried via the browser setting and via the new Clear-Site-Data HTTP header doesn't seem to clear these stored authorization entries.

Attached image 1-401-login-prompt.png

Basic auth flow on Firefox 106. When a server returns 401 with the WWW-Authenticate header, the browser opens the built-in login prompt.

Basic auth flow on Firefox 106. After valid credentials have been provided by the user, the browser sends them as base64 on all subsequent requests (as the content of the Authorization header)

Attached image 3-no-cookies.png

The authorization entry is persisted by the browser (since it's passed as a header on all requests), but it can't be seen/cleared in the Firefox devtools' Storage tab.

Ah—I finally understood that authorization entries ("Active Logins" in Firefox) are considered part of History (not storage) and can therefore be manually cleared by going to Firefox top-right hamburger menu -> History -> Clear recent history and choosing to clear active logins.

In my opinion, it would still make a lot of sense to allow developers to manually clear these in Devtools -> Storage, but this might not be possible because of the reasons outlined in Bug 1726743 (the AuthTokensCleaner and AuthCacheCleaner cannot clear authorization entries by domain).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: