Asking twice for NTLM proxy password when prompting also for WWW NTLM auth

RESOLVED FIXED in Firefox 53

Status

()

defect
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: mayhemer, Assigned: mayhemer)

Tracking

53 Branch
mozilla53
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [necko-active][ntlm])

Attachments

(1 attachment)

Bug 1315332 and bug 1309438 introduced closing of a sticky connection when user is prompted for credentials.

scenario:
- we are asked for creds for NTLM proxy
- user enters it, it's correct, it's cached
- server now asks for NTLM auth
- we throw the sticky connection away (which also kills the proxy connection), ask user for the creds
- user provides it
- we create a new connection
- and now we have to auth to the proxy again as well

( the sequence looks like 407, 407, 401, 407 )

problem:
- we don't reuse the cached creds for the second proxy auth and ask again the user

cause:
- ntlm::ChallengeReceived returns identInvalid = true (expected and correct)
- but, the mProxyIdent is Equal() to the cached entry in nsHttpChannelAuthProvider::GetCredentialsForChallenge 
-> hence, we consider it as invalid (believing the proxy rejects these credentials), clear it from the cache and ask again the user

fix:
- throw the proxy ident from http channel auth provider away when the proxy authenticated connection is closed, what forces reuse of the cached entry for the proxy credentials, which is expected to work (pass the proxy authentication) ; it's highly unlikely the proxy credentials would change in the meantime ;)
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Gary, please retest your cases (specially the case 2) from [1] with the patch from this bug.

Thanks.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309438#c16
Flags: needinfo?(gary)
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Jason, I'm asking you since Patrick was not very responsive the last time (probably busy).  Feel free to forward to anyone else.
Attachment #8815390 - Flags: review?(jduell.mcbugs)
Applied patch and re ran tests, it appears to be fixed.
Flags: needinfo?(gary)
(In reply to Gary Lockyer from comment #4)
> Applied patch and re ran tests, it appears to be fixed.

Thank you!
Whiteboard: [necko-active]
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Review of attachment 8815390 [details] [diff] [review]:
-----------------------------------------------------------------

Good comment!
Attachment #8815390 - Flags: review?(jduell.mcbugs) → review+
Keywords: checkin-needed
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb6839ca47ea
Avoid double NTLM proxy auth prompt by not keeping nsHttpChannelAuthProvider::mProxyIdent when the sticky connection is threw away during NTLM WWW authentication prompt, r=jduell
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/eb6839ca47ea
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Whiteboard: [necko-active] → [necko-active][ntlm]
You need to log in before you can comment on or make changes to this bug.