Closed Bug 412349 Opened 15 years ago Closed 6 years ago

username & password forgotten after creating a security exception

Categories

(Core Graveyard :: Security: UI, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: eyalroz1, Unassigned)

References

Details

I use an .htaccess file in some folder on my webserver, which has a self-signed certificate. When I first visit that folder with a recent build, I get a uname & password box first, with the known values in the text boxes. I press ok, then get the message about the bad certificate, then I choose to create an exception, and after that I get the uname & password box again (problem no. 1; I already entered them) and with no suggested text this time (problem no. 2)
I don't understand how you would run into such a scenario.

I think you're saying:
- have a site that requires http basic auth
- you successfully connected to that site in the past
  and firefox has username+password remembered
- now the site is using an untrusted cert, and firefox rejects it

With the above configuration, you attempt to visit that site.
You're saying you are prompted to enter the login data and Firefox has prefilled the login dialog.
Only after you confirm the login you get an error page.

Is my understanding of your bug report correct?


I tried to reproduce using this URL:
  https://www.kuix.de/misc/basicauth/
I added an exception, logged in, asked firefox to remember username+password, then deleted the exception, quit firefox, then restarted firefox, then tried to access again.

I think this procedure should give me the identical setup.

But when I try to connect again, I immediately get the error page, as expected.
I can not reproduce your bug.


Please provide more detailed steps to reproduce, ideally starting from a fresh profile.
Yeah, this one confused me too. Maybe there's a redirect behind the http-auth that's biting him?  E.g.

Login to http://example.com
http://example.com 302 redirects to https://example.com (??)
Cert error
Add exception
Attempt to reload https://example.com, have to re-authenticate

I don't see, in that situation, though, why the credential behaviour would change - pwmgr is doing proto://host:port matching, and none of those have changed before the exception vs. after.

Copying dolske since He Knows All about passwords.
Huh, yeah, a redirect would seem likely. If there's a bad cert, I'd expect the SSL connection to fail before the site ever gets a chance to authenticate.

Try enabling password manager debugging, and paste/attach the log here... http://wiki.mozilla.org/Firefox:Password_Manager_Debugging
(Oh, ignore the first half of my last comment. I missed that you're adding an override.)
(In reply to comment #1)
> Is my understanding of your bug report correct?

Yes, except I neglected to mention I'm using SM trunk 2008-01-01 02.

> Please provide more detailed steps to reproduce, ideally starting from a fresh
> profile.

I'll try to get around to that soon.

reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Is this still an issue?
Flags: needinfo?(eyalroz)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
It might be, but I don't have that machine anymore, so I can't check. You can close this if you like.
Flags: needinfo?(eyalroz)
Ok - thanks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.