Asking twice for NTLM proxy password when prompting also for WWW NTLM auth

RESOLVED FIXED in Firefox 53

Status

()

Core
Networking: HTTP
RESOLVED FIXED
a year ago
9 months ago

People

(Reporter: mayhemer, Assigned: mayhemer)

Tracking

53 Branch
mozilla53
Points:
---

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [necko-active][ntlm])

Attachments

(1 attachment)

(Assignee)

Description

a year ago
Bug 1315332 and bug 1309438 introduced closing of a sticky connection when user is prompted for credentials.

scenario:
- we are asked for creds for NTLM proxy
- user enters it, it's correct, it's cached
- server now asks for NTLM auth
- we throw the sticky connection away (which also kills the proxy connection), ask user for the creds
- user provides it
- we create a new connection
- and now we have to auth to the proxy again as well

( the sequence looks like 407, 407, 401, 407 )

problem:
- we don't reuse the cached creds for the second proxy auth and ask again the user

cause:
- ntlm::ChallengeReceived returns identInvalid = true (expected and correct)
- but, the mProxyIdent is Equal() to the cached entry in nsHttpChannelAuthProvider::GetCredentialsForChallenge 
-> hence, we consider it as invalid (believing the proxy rejects these credentials), clear it from the cache and ask again the user

fix:
- throw the proxy ident from http channel auth provider away when the proxy authenticated connection is closed, what forces reuse of the cached entry for the proxy credentials, which is expected to work (pass the proxy authentication) ; it's highly unlikely the proxy credentials would change in the meantime ;)
(Assignee)

Updated

a year ago
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
(Assignee)

Comment 1

a year ago
Created attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Explanation in the patch and in bugzilla.  Not tested (will ask Gary).

https://treeherder.mozilla.org/#/jobs?repo=try&revision=7fac59ae31d4db2b01f9205dee6e6962b5490258
(Assignee)

Comment 2

a year ago
Gary, please retest your cases (specially the case 2) from [1] with the patch from this bug.

Thanks.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309438#c16
Flags: needinfo?(gary)
(Assignee)

Comment 3

a year ago
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Jason, I'm asking you since Patrick was not very responsive the last time (probably busy).  Feel free to forward to anyone else.
Attachment #8815390 - Flags: review?(jduell.mcbugs)

Comment 4

a year ago
Applied patch and re ran tests, it appears to be fixed.
Flags: needinfo?(gary)
(Assignee)

Comment 5

a year ago
(In reply to Gary Lockyer from comment #4)
> Applied patch and re ran tests, it appears to be fixed.

Thank you!
Whiteboard: [necko-active]
Comment on attachment 8815390 [details] [diff] [review]
v1 (drop mProxyIdent when dropping sticky conn because of WWW auth dialog)

Review of attachment 8815390 [details] [diff] [review]:
-----------------------------------------------------------------

Good comment!
Attachment #8815390 - Flags: review?(jduell.mcbugs) → review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 7

a year ago
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb6839ca47ea
Avoid double NTLM proxy auth prompt by not keeping nsHttpChannelAuthProvider::mProxyIdent when the sticky connection is threw away during NTLM WWW authentication prompt, r=jduell
Keywords: checkin-needed

Comment 8

a year ago
bugherderlanding
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb6839ca47ea

Comment 9

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/eb6839ca47ea
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
(Assignee)

Updated

9 months ago
Whiteboard: [necko-active] → [necko-active][ntlm]
You need to log in before you can comment on or make changes to this bug.