Closed
Bug 292262
Opened 19 years ago
Closed 14 years ago
Multiple passwords in HTTP basic authentication will not be transmitted correctly
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: joergprante, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 In the HTTP basic authentication dialog, Firefox will send the correct password only at first time. If the first challenge fails, the HTTP server will prompt for athetnication again. When entering different credentials, they are messed up. The second password given is padded by the first, parts of the password of the first try will be send to the server again. The user will not notice the problem. Thie bug is evident if the second password is shorter than the first. Reproducible: Always Steps to Reproduce: 1. Select a HTTP server with HTTP basic authentication, and enable debugging of username and password credentials coming from clients 2. Open Firefox and visit the server. Enter invalid credentials with a long password. The server will challenge again. 3. Enter (maybe correct) credentials with a shorter password than before. The authentication fails. Actual Results: Authentication is not possible without restarting Firefox if the first challenge failed. Expected Results: Firefox should always send the entered credentials to the server. Here is a log of Firefox connecting to Tomcat 5.5.4. The client sends username "a" and password "1234567890", which fails, followed by a second try, username "b" and passwort "c". The second password "c" is padded by "234567890". 28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned username "a" 28.04.2005 21:37:24 DEBUG [http-9090-Processor25] [localhost].[/] - Returned password "1234567890" 28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned username "b" 28.04.2005 21:37:38 DEBUG [http-9090-Processor25] [localhost].[/] - Returned password "c234567890"
Updated•19 years ago
|
Assignee: nobody → darin
Component: Security → Networking: HTTP
Product: Firefox → Core
QA Contact: firefox → networking.http
Version: unspecified → Trunk
Comment 1•19 years ago
|
||
I don't see this on a quick test against an http server I happen to have that requires auth. Will test more later. You could run a log and see if anything shows up: http://www.mozilla.org/projects/netlib/http/http-debugging.html
Component: Networking: HTTP → Security
Product: Core → Firefox
QA Contact: networking.http → firefox
Version: Trunk → unspecified
Comment 2•19 years ago
|
||
I haven't been able to reproduce this bug in 1.0.4 with a simple test page[1]. The log is good and powerful, but I find most people are more comfortable with the Live HTTP Headers extension[2]. [1] http://dent.student.umd.edu/~atrus/auth_test/ [2] http://livehttpheaders.mozdev.org/
Comment 3•19 years ago
|
||
the log shows much more information. it is therefore more helpful in analyzing bugs.
Updated•18 years ago
|
Assignee: darin → nobody
Comment 4•15 years ago
|
||
Is this bug still reproducible?
Comment 5•14 years ago
|
||
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 1.0 Branch
Comment 6•14 years ago
|
||
No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
Comment 7•10 years ago
|
||
Suggest related to bug 137852 and/or bug 201620.
You need to log in
before you can comment on or make changes to this bug.
Description
•