Asking twice for NTLM proxy password when prompting also for WWW NTLM auth

RESOLVED FIXED in Firefox 53

Status

()

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: mayhemer, Assigned: mayhemer)

Tracking

53 Branch
mozilla53
Points:
---

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [necko-active][ntlm])

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
Bug 1315332 and bug 1309438 introduced closing of a sticky connection when user is prompted for credentials.

scenario:
- we are asked for creds for NTLM proxy
- user enters it, it's correct, it's cached
- server now asks for NTLM auth
- we throw the sticky connection away (which also kills the proxy connection), ask user for the creds
- user provides it
- we create a new connection
- and now we have to auth to the proxy again as well

( the sequence looks like 407, 407, 401, 407 )

problem:
- we don't reuse the cached creds for the second proxy auth and ask again the user

cause:
- ntlm::ChallengeReceived returns identInvalid = true (expected and correct)
- but, the mProxyIdent is Equal() to the cached entry in nsHttpChannelAuthProvider::GetCredentialsForChallenge 
-> hence, we consider it as invalid (believing the proxy rejects these credentials), clear it from the cache and ask again the user

fix:
- throw the proxy ident from http channel auth provider away when the proxy authenticated connection is closed, what forces reuse of the cached entry for the proxy credentials, which is expected to work (pass the proxy authentication) ; it's highly unlikely the proxy credentials would change in the meantime ;)
(Assignee)

Updated

2 years ago
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
(Assignee)

Comment 1

2 years ago
Created attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Explanation in the patch and in bugzilla.  Not tested (will ask Gary).

https://treeherder.mozilla.org/#/jobs?repo=try&revision=7fac59ae31d4db2b01f9205dee6e6962b5490258
(Assignee)

Comment 2

2 years ago
Gary, please retest your cases (specially the case 2) from [1] with the patch from this bug.

Thanks.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309438#c16
Flags: needinfo?(gary)
(Assignee)

Comment 3

2 years ago
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Jason, I'm asking you since Patrick was not very responsive the last time (probably busy).  Feel free to forward to anyone else.
Attachment #8815390 - Flags: review?(jduell.mcbugs)

Comment 4

2 years ago
Applied patch and re ran tests, it appears to be fixed.
Flags: needinfo?(gary)
(Assignee)

Comment 5

2 years ago
(In reply to Gary Lockyer from comment #4)
> Applied patch and re ran tests, it appears to be fixed.

Thank you!
Whiteboard: [necko-active]

Comment 6

2 years ago
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Review of attachment 8815390 [details] [diff] [review]:
-----------------------------------------------------------------

Good comment!
Attachment #8815390 - Flags: review?(jduell.mcbugs) → review+
(Assignee)

Updated

2 years ago
Keywords: checkin-needed

Comment 7

2 years ago
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb6839ca47ea
Avoid double NTLM proxy auth prompt by not keeping nsHttpChannelAuthProvider::mProxyIdent when the sticky connection is threw away during NTLM WWW authentication prompt, r=jduell
Keywords: checkin-needed

Comment 9

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/eb6839ca47ea
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
(Assignee)

Updated

2 years ago
Whiteboard: [necko-active] → [necko-active][ntlm]
You need to log in before you can comment on or make changes to this bug.