Multiple passwords in HTTP basic authentication will not be transmitted correctly

RESOLVED INCOMPLETE

Status

()

Firefox
Security
RESOLVED INCOMPLETE
13 years ago
4 years ago

People

(Reporter: Jörg Prante, Unassigned)

Tracking

1.0 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

In the HTTP basic authentication dialog, Firefox will send the correct password
only at first time. If the first challenge fails, the HTTP server will prompt
for athetnication again. When entering different credentials, they are messed
up. The second password given is padded by the first, parts of the password of
the first try will be send to the server again. The user will not notice the
problem. Thie bug is evident if the second password is shorter than the first.

Reproducible: Always

Steps to Reproduce:
1. Select a HTTP server with HTTP basic authentication, and enable debugging of
username and password credentials coming from clients
2. Open Firefox and visit the server. Enter invalid credentials with a long
password. The server will challenge again.
3. Enter (maybe correct) credentials with a shorter password than before. The
authentication fails.

Actual Results:  
Authentication is not possible without restarting Firefox if the first challenge
failed.

Expected Results:  
Firefox should always send the entered credentials to the server.

Here is a log of Firefox connecting to Tomcat 5.5.4. 
The client sends username "a" and password "1234567890", which fails, followed
by a second try, username "b" and passwort "c". The second password "c" is
padded by "234567890".

28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
username "a"
28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
password "1234567890"
28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
username "b"
28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned
password "c234567890"
Assignee: nobody → darin
Component: Security → Networking: HTTP
Product: Firefox → Core
QA Contact: firefox → networking.http
Version: unspecified → Trunk
I don't see this on a quick test against an http server I happen to have that
requires auth. Will test more later.

You could run a log and see if anything shows up:
http://www.mozilla.org/projects/netlib/http/http-debugging.html
Component: Networking: HTTP → Security
Product: Core → Firefox
QA Contact: networking.http → firefox
Version: Trunk → unspecified
I haven't been able to reproduce this bug in 1.0.4 with a simple test page[1].

The log is good and powerful, but I find most people are more comfortable with
the Live HTTP Headers extension[2].

[1] http://dent.student.umd.edu/~atrus/auth_test/
[2] http://livehttpheaders.mozdev.org/
the log shows much more information. it is therefore more helpful in analyzing bugs.

Updated

12 years ago
Assignee: darin → nobody

Comment 4

9 years ago
Is this bug still reproducible?
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 1.0 Branch
No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
Suggest related to bug 137852 and/or bug 201620.
You need to log in before you can comment on or make changes to this bug.