remember client auth decisions on a per-session basis
Categories
(Core :: Security: PSM, enhancement, P2)
Tracking
()
People
(Reporter: david.balazic, Unassigned)
References
Details
(Whiteboard: [psm-backlog][psm-clientauth])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Steps to reproduce:
- have more than one (or at least one) personal certificate installed in Firefox
- go to a website that uses client certificate authentication
- in the "User Identification Request" dialog that pops up deselect "Remember this decision" and click OK
- in the "User Identification Request" dialog that pops up deselect "Remember this decision" and click OK
- in the "User Identification Request" dialog that pops up deselect "Remember this decision" and click OK
Actual results:
The "User Identification Request" dialog keeps popping up.
Expected results:
The dialog should not pop up many times.
|
Reporter | |
Comment 1•4 years ago
|
||
The issue was observed in Nightly: 81.0a1 (2020-08-06) (64-bit)
The behavior is similar if user clicks Cancel: the dialog comes back several times
It seem the dialog is shown for each outgoing HTTP(S) request.
After that, the dialog does not appear any more. Even when opening URLs on the same website, that were never opened before (so it is not a cache issue, at least no a simple case of it).
After a clean using ctrl-shift-del , it asks again to select a client certificate.
Or after restarting Firefox.
|
||
Comment 2•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 3•4 years ago
|
||
Are you expecting Firefox to keep sending the client certificate you chose the first time the dialog came up?
|
|
Reporter | |
Comment 4•4 years ago
|
||
I expect it to behave in a consistent way.
Not sure what answer you expect from me. A solution proposal?
|
|
||
Comment 5•4 years ago
|
||
I'm asking how you want Firefox to behave. If you don't check the "remember my decision" box, Firefox won't remember the decision. So, when a new TLS connection to that domain occurs and the server requests a client certificate, what should Firefox do to be consistent, given that you don't want it to show the dialog again?
|
|
Reporter | |
Comment 6•4 years ago
|
||
It already remembers it, as I reported. Just not right away, but after a few times clicking OK in the dialog. Then it forgets the choice when FF is exited.
This would be one solution: remember it but only until FF is closed. With the small change (from current nightly behavior): remember it right after first click, not after a random(?) amount of them
Idea 2: remember it only for the duration of the current page
That is:
- ask once
- then load the page and all included documents (from the same server) using the selected option
For next page load (users clicks a link), ask again (but only once, not once for each http request or whatever is currently happening)
Non idea 3: keep asking for each http request
- this is useless, especially as in the dialog there is no information what exactly is being requested (the URL); just listing this for completeness
And finally, a variation of the first idea: remember the choice, but just until the web page is closed (all pages/tabs from that server)
My preferred solution would be the first (plus the variation mentioned above).
|
|
||
Comment 7•4 years ago
|
||
Great - thanks.
See my comments on the related bug 1657588.
Also, note that "all included documents" is tricky - consider javascript that makes XmlHttpRequests in response to typing: that results in an indefinite number of http requests. Not checking "remember" should not result in a query for each one. David is on the right track in the sense that there needs to be some concept of a "session".
|
||
Comment 10•1 year ago
|
||
Allow me to give more details. I use certificates various times a week for all government-related websites and have more than one certificate installed.
The typical scenario is:
- A website requests a certificate.
- I choose one (this is the decision that normally matters).
- The website requests a certificate again between 4 to 8 times before displaying the next page (normally these decisions do not matter and normally I can just click Cancel).
- The next page shows.
- No more certificate is requested.
It seems that the problem is that after telling Firefox the first time what certificate to use, Firefox has not registered this decision yet (for the session) when loading "related" HTTP requests for the next page. Once the next page is loaded, it works fine for the rest of the session.
I got fed up with the repeated certificate requests and marked the checkbox "remember my decision", but this will remember it forever and it can only be un-remembered in an obscure corner of the Firefox settings (certificates > authentication decisions), where most people will not be able to find it.
|
||
Comment 11•10 months ago
|
||
I came to submit this bug but I think this is the same one.
When using the LXD WebUI, doing almost anything causes the "User Identification Request" dialog to pop up multiple times (usually about four times). Even just switching to the tab causes it to pop up, and it's modal to the whole window so you must click "OK" before you can switch to another tab.
This happens the same amount whether the "Remember this decision" checkbox is checked or not.
Firefox is not remembering my decision, at least not as I understand a "decision".
|
|
||
Comment 12•10 months ago
|
||
(In reply to Richard Brooksby from comment #11)
Firefox is not remembering my decision, at least not as I understand a "decision".
I should add, this is Firefox 117.0 on Ubuntu 22.04 LTS and LXD 5.17.
Description
•