User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 In the HTTP basic authentication dialog, Firefox will send the correct password only at first time. If the first challenge fails, the HTTP server will prompt for athetnication again. When entering different credentials, they are messed up. The second password given is padded by the first, parts of the password of the first try will be send to the server again. The user will not notice the problem. Thie bug is evident if the second password is shorter than the first. Reproducible: Always Steps to Reproduce: 1. Select a HTTP server with HTTP basic authentication, and enable debugging of username and password credentials coming from clients 2. Open Firefox and visit the server. Enter invalid credentials with a long password. The server will challenge again. 3. Enter (maybe correct) credentials with a shorter password than before. The authentication fails. Actual Results: Authentication is not possible without restarting Firefox if the first challenge failed. Expected Results: Firefox should always send the entered credentials to the server. Here is a log of Firefox connecting to Tomcat 5.5.4. The client sends username "a" and password "1234567890", which fails, followed by a second try, username "b" and passwort "c". The second password "c" is padded by "234567890". 28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned username "a" 28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned password "1234567890" 28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned username "b" 28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned password "c234567890"
Assignee: nobody → darin
Component: Security → Networking: HTTP
Product: Firefox → Core
QA Contact: firefox → networking.http
Version: unspecified → Trunk
I don't see this on a quick test against an http server I happen to have that requires auth. Will test more later. You could run a log and see if anything shows up: http://www.mozilla.org/projects/netlib/http/http-debugging.html
Component: Networking: HTTP → Security
Product: Core → Firefox
QA Contact: networking.http → firefox
Version: Trunk → unspecified
I haven't been able to reproduce this bug in 1.0.4 with a simple test page. The log is good and powerful, but I find most people are more comfortable with the Live HTTP Headers extension.  http://dent.student.umd.edu/~atrus/auth_test/  http://livehttpheaders.mozdev.org/
the log shows much more information. it is therefore more helpful in analyzing bugs.
13 years ago
Is this bug still reproducible?
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 1.0 Branch
No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.