User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Mozilla 184.108.40.2065032305, new install, new profile, Win XP SP1, reproducible, saved passwords used or not. Using protocol https, self-signed low-grade 40-bit certs from Oracle 9iAS 9.0.3 (uses Apache webserver). We have a website that has several different security realms. When a user moves from one realm to another via link or URL pasting, the browser (Mozilla or Firefox) challenges user for credentials. However, when a user moves from one realm to another via form submit button (either GET or POST), they are not challenged, and the page in the new realm downloads and displays (without authorization as far as I can tell). I don't know if Mozilla tries existing domain credentials automatically for form submits or what, but this does not *seem* like correct standards-based behavior. A user should be challenged at each new realm no matter how they get there. Reproducible: Always Steps to Reproduce: 1. create a website with two pages, each in a different security realm 2. 1st page should have form action pointing to 2nd page (absolute action URL in this case) 3. GET 1st page - you will be challenged for 1st realm credentials 4. submit form to GET or POST 2nd page - you will get the 2nd page with no challenge Actual Results: Saw form results page without being challenged for credentials. Expected Results: Challenged user for credentials when changing realms, no matter how the new realm is reached.
Do you have a testcase?
(In reply to comment #1) > Do you have a testcase? Ian, Unfortunately, the test case is an intranet company data system which cannot be seen on the open internet. I tried to describe how the system is setup in my original post. If you setup an Apache server with two pages, each in their own realm, one of which has a form with an action of the other page (absolute or relative URL) and a submit button, you should see the behavior if the user is allowed in both groups. I might be able to pare down the Apache config files to the security and user sections for you to use as an example, but you would have to set yours up manually anyway because of your local directory structure and the password file. Let me know if you'd like this, or have specific questions. P.S. - Another thought I had is that the pages in question are generated by the Oracle database through their mod_plsql plugin to Apache. I'm going to try some tests today on flat-file pages to see if there is something weird going on with the Oracle plugin, or if it's a general case with realms. You may or may not want to hold off until I can give you results. -Rich S.
Well, apparently this is the "intended" behavior. Mozilla, Firefox, and the dreaded IE all try existing domain credentials on a new realm before prompting a user for new credentials. However, I can find no concrete definition in any standards regarding this behavior. Is it a standard, or is it the de-facto way of doing things? If one of ya'all knows where this is specifically spelled out, I'd sure like to read it... In any case, ya'all can whack this "bug" report... Sorry for wasting your time. -Rich S.
As I see it there are three things that could be going on: 1. The browser has been told the different passwords (e.g. by logging in to those realms earlier in the session) and when switching realms during form submission, the UA is simply reusing the passwords it was given. That would be correct behaviour (we should automatically include authentication information when submitting to URIs we know are in a particular realm, and should be automatically sending authentication information to sites that we believe could be in a particular realm). Note that we don't get told the realm unless we fail to send authentication information or send the wrong outhentication details. 2. The browser has been told one password, that of the first realm, and the server is accepting it as the password of the second realm. Since the UA doesn't send the realm information, and the server doesn't send realm info unless the login failed, neither the server nor the browser know that they think they are in different realms. 3. The browser doesn't send any authentication information, and the server isn't complaining, maybe because it's a POST. The browser doesn't get told there's a new realm, and so doesn't know anything is wrong. I don't see how the UA, the browser, could in any way bypass the security checks on the server. That's the server's responsibility. [I propose we open this bug and ask for someone in the community to set up a testcase for this.]
Sorry, didn't see your last comment before submitting mine. Yes, I believe this behaviour is spelt out in the relevant HTTP and HTTP auth specs, but I don't have the reference with my right now. [Opening bug and marking invalid per reporter.]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.