Last Comment Bug 512709 - firefox sends wrong http basic auth credentials
: firefox sends wrong http basic auth credentials
Status: UNCONFIRMED
[necko-backlog]
:
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: unspecified
: x86 Windows XP
: -- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Patrick McManus [:mcmanus]
Mentors:
Depends on:
Blocks: 61681
  Show dependency treegraph
 
Reported: 2009-08-26 09:29 PDT by guille.rodriguez
Modified: 2016-02-04 10:30 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description guille.rodriguez 2009-08-26 09:29:22 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Under certain circumstances Firefox seems to be sending the wrong set of http basic auth credentials. The problem happens in this scenario:

- First, the user successfully authenticates as userA/passA in order to access http://host/pathA, auth realm "realmA"
- Then, the user successfully authenticates as userB/passB in order to access http://host/pathB, auth realm "realmB"
- The document at http://host/pathB contains an html form that allows file uploads to pathB. If the user now tries to upload a file, Firefox will first try userA/passA (wrong), then upon receiving a 401 response from the server, Firefox will automatically retry the request, using userB/passB this time (right).
- The operation finally succeeds but the file has been transferred twice over the network.


Reproducible: Always

Steps to Reproduce:
1. User tries to access http://host/pathA
2. Server responds with 401, identifies realm as "realmA"
3. Firefox prompts for user/password. User enters userA/passA
4. Firefox sends the correct credentials, server sends back the document
5. User now tries to access http://host/pathB, which is configured for a different protection realm
6. Firefox preemptively sends userA/passA. This is correct as of RFC 2617
7. Server responds with 401, identifies realm as "realmB"
8. Firefox prompts for user/password. User enters userB/passB
9. Firefox sends the correct credentials, server sends back the document
10. The document at http://host/pathB contains an html form with a 'file upload' field. The target action for the form is "pathB". User selects a file and hits Upload.

Actual Results:  
1. Firefox first tries to send the file by means of a POST request to http://host/pathB, but using the wrong credentials (userA/passA)
2. Server responds with 401, identifies realm as "realmB"
3. Firefox automatically retries with userB/passB
4. The operation completes successfully, but note that the file has been submitted TWICE over the network.


Expected Results:  
1. Firefox tries to send the file by means of a POST request to http://host/pathB, using the right credentials (userB/passB)
Comment 1 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2009-08-28 07:13:47 PDT
Please use an addon such as LiveHTTPHeaders and post the HTTP headers from this session.  It will make debugging this much easier.
Comment 2 guille.rodriguez 2009-09-07 05:01:48 PDT
I am copying the HTTP headers for the session described above.

realmA = userA = passA = "1"
realmB = userB = passB = "2"


==========================================================
GET /pathA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="1"

==========================================================
GET /pathA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 378

==========================================================
GET /favicon.ico HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 404 Object not found
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 42
Connection: Close

==========================================================
GET /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="2"

==========================================================
GET /favicon.ico HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic MTox

HTTP/1.x 404 Object not found
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 42
Connection: Close

==========================================================
GET /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic Mjoy

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 558

==========================================================
POST /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/pathB
Authorization: Basic MTox
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 347
-----------------------------41184676334
Content-Disposition: form-data; name="file_name"; filename="text.txt"
Content-Type: text/plain

This is a test file for the uploading bug.
-----------------------------41184676334
Content-Disposition: form-data; name="command:upload_config"

Actualizar
-----------------------------41184676334--

HTTP/1.x 401 Unauthorized
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 298
WWW-Authenticate: Basic realm="2"

==========================================================
POST /pathB HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/pathB
Authorization: Basic Mjoy
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 347
-----------------------------41184676334
Content-Disposition: form-data; name="file_name"; filename="text.txt"
Content-Type: text/plain

This is a test file for the uploading bug.
-----------------------------41184676334
Content-Disposition: form-data; name="command:upload_config"

Actualizar
-----------------------------41184676334--

HTTP/1.x 200 OK
Server: My-httpd/1.0
Content-Type: text/html
Content-Length: 618
Comment 3 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2009-09-07 05:13:11 PDT
OK, thanks.  Looks like a duplicate of Bug 137852 to me.  Sadly this has been around for a long time.
Comment 4 guille.rodriguez 2009-09-07 05:46:51 PDT
Not sure if this is exactly the same as bug 137852. Apparently both have to do with sending wrong auth credentials. However the issue I'm reporting has to do with auth credentials not being correctly associated with different URL subpaths, whereas bug 137852 doesn't seem to have anything to do with paths -- rather with caching. But I'm looking at this from a users perspective only. Maybe the two issues are related internally.

Note You need to log in before you can comment on or make changes to this bug.