Passwords are not saved when xmlhttprequests are made to http basic auth files




11 years ago
11 years ago


(Reporter: vogue, Unassigned)


Firefox Tracking Flags

(Not tracked)




11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko/2007110904 Firefox/3.0b1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko/2007110904 Firefox/3.0b1

When logged in to a basic http auth site, that also uses xmlhttprequests to look up information, during a timeout, the password is not saved when the xmlhttprequest is attempted again.  There was a previous bug where the HTTP basic aauth itself was not saved after a timeout.  That has been fixed in FF3b1, however, it is still not saving passwords when an xmlhttprequest is made directly after the timeout occurs.

Reproducible: Always

Steps to Reproduce:
1.Login to HTTP basic auth site.
2.Wait for timeout of the cookie that authenticated
3.Initiate an xmlhttprequest to a page behind the same HTTP basic auth

Actual Results:  
Username and Password fields will come up blank every time, even though the basic auth password has been saved.

Expected Results:  
Username and Password fields should be automatically filled in, just like they are when you make a normal HTTP request after the http basic auth login times out.

As I said above, in previous versions of firefox, the http basic auth password is not saved.  You can test this by logging into phpmyadmin via HTTP basic auth, then pressing "logout."  The cookie expires, and the HTTP basic auth prompt comes back empty when you have told it to save.  This is now fixed in FF3b1, however, if the cookie expires, but you hit a field that makes use of xmlhttprequest to populate, or do a query, and uses a backend PHP script that is behind the same HTTP basic auth, the username/password prompt comes up blank.  It should come up with the same username and password already filled out that you used to gain access initially.


11 years ago
Summary: Passwords are not save when xmlhttprequests are made to http basic auth files → Passwords are not saved when xmlhttprequests are made to http basic auth files
A test case would be helpful here.

Comment 2

11 years ago
Unfortunately this is on an internal work system.  I can maybe come up with some sort of example elsewhere to test.

In this case, you login (http basic auth using radius) you can use the page, FF3b1 remembers the password always.  Unless you timeout, and click in a javascript field, this field then contacts another script on the same site to pull some info with xmlhttprequest, this time when the login pops up, it is blank.  Doesn't save the http basic auth password on that type of request.  It does when I go directly to the page being called by the xmlhttprequest.  It seems the xmlhttprequest itself is part of the problem?


Comment 3

11 years ago
I don't think I'm going to be able to put together an example.  But I can tell you what it requires : 

1) A site that uses php http auth, and a cookie to time you out.
2) Login, tell FF to remember the password, and wait for the timeout.
3) Once you have timed out, trigger an xmlhttprequest to a file that requires the same php http auth.  (in my case, click in and out of a text field that calls an xmlhttprequest)
4) A username/password box will come up blank. (when it should have the stored user/pass from the initial login)

The xmlhttprequest works, as long as you aren't timed out.   It uses the stored password you initially enter.  But if you timeout, and try to re-establish the connection via the xmlhttprequest first, it does not remember the password.  

Reloading the page any other way seems to remember it every time.  Only that xmlhttprequest when the cookie has timed out and you would normally be forced to re-authenticate (with a stored user/pass).

I was going to use phpmyadmin, it redirects on logout though.  Basically you could add a field that triggered an xmlhttprequest in phpmyadmin to some phpmyadmin page, or one of your own in the phpmyadmin directory.  Kill the redirect on logout, so you can still click in and out of the field.  

Then logout, destroy the cookie, and see if the xmlhttprequest brings up the password box correctly.  It should be blank in FF3b1 and b2.
Could you enable the password manager debugging (see, and report what's shown when (1) you initially log in and (2) when you get a empty popup after the timeout.
Duplicate of this bug: 413249

Comment 6

11 years ago
I'd like to point out that bug 413249 was marked as a major regression, because XMLHttpRequest passwords are never remembered across a Firefox restart.
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 413249


11 years ago
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.