firefox sends wrong http basic auth credentials

UNCONFIRMED
Unassigned

Status

()

Core
Networking: HTTP
UNCONFIRMED
8 years ago
2 years ago

People

(Reporter: guille.rodriguez, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-backlog])

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Under certain circumstances Firefox seems to be sending the wrong set of http basic auth credentials. The problem happens in this scenario:

- First, the user successfully authenticates as userA/passA in order to access http://host/pathA, auth realm "realmA"
- Then, the user successfully authenticates as userB/passB in order to access http://host/pathB, auth realm "realmB"
- The document at http://host/pathB contains an html form that allows file uploads to pathB. If the user now tries to upload a file, Firefox will first try userA/passA (wrong), then upon receiving a 401 response from the server, Firefox will automatically retry the request, using userB/passB this time (right).
- The operation finally succeeds but the file has been transferred twice over the network.


Reproducible: Always

Steps to Reproduce:
1. User tries to access http://host/pathA
2. Server responds with 401, identifies realm as "realmA"
3. Firefox prompts for user/password. User enters userA/passA
4. Firefox sends the correct credentials, server sends back the document
5. User now tries to access http://host/pathB, which is configured for a different protection realm
6. Firefox preemptively sends userA/passA. This is correct as of RFC 2617
7. Server responds with 401, identifies realm as "realmB"
8. Firefox prompts for user/password. User enters userB/passB
9. Firefox sends the correct credentials, server sends back the document
10. The document at http://host/pathB contains an html form with a 'file upload' field. The target action for the form is "pathB". User selects a file and hits Upload.

Actual Results:  
1. Firefox first tries to send the file by means of a POST request to http://host/pathB, but using the wrong credentials (userA/passA)
2. Server responds with 401, identifies realm as "realmB"
3. Firefox automatically retries with userB/passB
4. The operation completes successfully, but note that the file has been submitted TWICE over the network.


Expected Results:  
1. Firefox tries to send the file by means of a POST request to http://host/pathB, using the right credentials (userB/passB)
Component: Security → Networking: HTTP
Product: Firefox → Core
QA Contact: firefox → networking.http
Please use an addon such as LiveHTTPHeaders and post the HTTP headers from this session.  It will make debugging this much easier.
(Reporter)

Comment 2

8 years ago
I am copying the HTTP headers for the session described above.

realmA = userA = passA = "1"
realmB = userB = passB = "2"


==========================================================
GET /pathA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="1"

==========================================================
GET /pathA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 378

==========================================================
GET /favicon.ico HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 404 Object not found
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 42
Connection: Close

==========================================================
GET /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="2"

==========================================================
GET /favicon.ico HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 404 Object not found
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 42
Connection: Close

==========================================================
GET /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic Mjoy

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 558

==========================================================
POST /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/pathB
Authorization: Basic MTox
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 347
-----------------------------41184676334
Content-Disposition: form-data; name="file_name"; filename="text.txt"
Content-Type: text/plain

This is a test file for the uploading bug.
-----------------------------41184676334
Content-Disposition: form-data; name="command:upload_config"

Actualizar
-----------------------------41184676334--

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="2"

==========================================================
POST /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/pathB
Authorization: Basic Mjoy
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 347
-----------------------------41184676334
Content-Disposition: form-data; name="file_name"; filename="text.txt"
Content-Type: text/plain

This is a test file for the uploading bug.
-----------------------------41184676334
Content-Disposition: form-data; name="command:upload_config"

Actualizar
-----------------------------41184676334--

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 618
OK, thanks.  Looks like a duplicate of Bug 137852 to me.  Sadly this has been around for a long time.
Blocks: 61681
(Reporter)

Comment 4

8 years ago
Not sure if this is exactly the same as bug 137852. Apparently both have to do with sending wrong auth credentials. However the issue I'm reporting has to do with auth credentials not being correctly associated with different URL subpaths, whereas bug 137852 doesn't seem to have anything to do with paths -- rather with caching. But I'm looking at this from a users perspective only. Maybe the two issues are related internally.
Whiteboard: [necko-backlog]
You need to log in before you can comment on or make changes to this bug.