Closed
Bug 266126
Opened 20 years ago
Closed 19 years ago
Tabs do not remember HTTP authentication credentials
Categories
(Firefox :: Tabbed Browser, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: anita.kessler, Assigned: bugs)
Details
(Whiteboard: [sg:nse])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041025 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041025 Firefox/0.10.1 Single tabs do not remember their HTTP authentication credentials. Reproducible: Always Steps to Reproduce: 1. Create two dirs on your server and protect with .htaccess, different users 2. Browse to first dir, enter credentials of user one at prompt 3. Browse to second dir in new tab, enter credentials of user two at prompt 4. Switch back to first tab, try to reload or load other files in that dir Actual Results: You are prompted to enter credentials of user one and two again each time you switch the two tabs. Expected Results: Tabs should remember their credentials. I have the strong feeling that in an old version of FF this worked well, but I can't remember any more :-( Security note: Are maybe the wrong credentials used and even sent to wrong server in wrong tab?
|
||
Comment 1•20 years ago
|
||
No sign of a security bug. > Security note: Are maybe the wrong credentials used and even sent to wrong > server in wrong tab? This would be a security bug, but it's unlikely and you give no evidence that this happens. Does that only happen in tabs or also, if you use different windows? Does it happen with Mozilla? If you'd provide testcases, that would be easier to check. > 2. Browse to first dir, enter credentials of user one at prompt > 3. Browse to second dir in new tab, enter credentials of user two at prompt > 4. Switch back to first tab, try to reload or load other files in that dir I guess what's the problem is that Mozilla has only the notion of one username per server, doesn't distinguish between directories.
Group: security
Severity: major → normal
Whiteboard: [sg:nse]
|
|
||
Updated•20 years ago
|
Severity: normal → minor
Hello, I have the same authorization error with different subdirectories and users at one server. > Does that only happen in tabs or also, if you use different windows? Does it > happen with Mozilla? If you'd provide testcases, that would be easier to > check. I have two subdirectories: https://www.servername.com/subd1 https://www.servername.com/subd2 Both usernames are each equal to the name of the subdirectory, so they are different to each other. When I now access the first subdirectory I can enter the authorization data and access the site. Same to the second subdirectory. If I now try to access the first again, I have to re-enter the first username/password. > I guess what's the problem is that Mozilla has only the notion of one username > per server, doesn't distinguish between directories. I have two different user names, this cannot be the problem. The error occurs if I use different tabs as well as in different windows. I did not try to use Mozilla yet, only the Firefox.
|
||
Comment 3•19 years ago
|
||
I strongly suspect that the problem your experiencing has little to do with tabs and everything to do with the names of your realms. From the spec (RFC 2617)[1] The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space. -http://www.ietf.org/rfc/rfc2617.txt So, directories play no role in HTTP authentication. My testing shows that Mozilla behaves perfectly. http://dent.student.umd.edu/~atrus/auth_test/ realm: testing 123 user: testing pass: 123 http://dent.student.umd.edu/~atrus/auth_test2/ realm: testing 456 user: testing pass: 456 http://dent.student.umd.edu/~atrus/auth_test3/ realm: testing 123 user: testing pass: 789 auth_test and auth_test2 are in different protection realms and can be refreshed without problems. auth_test3 uses the same realm and user name as auth_test, but a different password. So, when I switch between refreshing each, I must re-enter the password. This is, as I said, exactly what the spec indicates should be done. The practical reason should be obvious: the conent in a page may come from different directories (/index.html, /image/header.gif, /js/script.js, etc.) but each directory does not necessarily need it's own username and password. So, please check the realms in your case (you didn't list URLs so I can't test them myself).
|
||
Comment 4•19 years ago
|
||
WFM. Firefox 1.5.0.1 ID:2006011112. As no further comments describing the problem in more details since the call of comment #3 have arrived, I shall mark this bug WORKSFORME. However, if you see this problem in a recent build of Mozilla, feel free to return and ask for this bug to be reopened.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•