84794 - Problem with HTTP basic authentication and cookies

Status: VERIFIED FIXED

(Core :: Networking: HTTP, defect, P2)

Description

[Darin Fisher]

Indraneel Sarkar wrote:
> There seems to be a problem with WWW-Authenticate: Basic and cookies.
> 
> Problem: I have a URL that requires "Basic" authentication. When the
> server responds with a 401 (Auth-required), it also sends a
> "Set-Cookie:" in the header. Now, this cookie is being set by Mozilla
> (build 2001060509); looked up in the "cookie manager". However, when
> the browser sends back the "Authorization" response, the cookie is
> not being sent back to the server. Why is the cookie not being sent back
> 
> to the originating server? Netscape 4.7x and IE 5.x both work fine.
> 
> Thanks,
> -Indraneel

Comment 1

[Osvaldo Pinali Doederlein]

Happens to me too.  Easy to reproduce: get Moz 0.9.1 release, Tomcat 3.2.2 
release and run the demo servlets which use cookies.

Comment 2

[benc]

Can you give me more information on the server you are using? I don't think my
Netscape based servers let me do something like that easily.

Comment 3

[Osvaldo Pinali Doederlein]

Benjamin: you only have to install Tomcat 3.2.2 
(http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.2/bin/), it is a 
free Java servlet container which does its own HTTP.  The problem should be a 
bad interaction btw Moz and Tomcat because the same Tomcat-served code works 
with MSIE, and the same Mozilla build succeeds to use cookies and basic 
authentication in other sites that I tested later.

Then, I updated to a nightly build (2001-06-11-20) and voila, the bug is gone! 
so it might have been a side effect of some other bug you recently fixed.

Comment 4

[Matthias Versen [:Matti]]

dupe of bug 83625 ?

Comment 5

[Osvaldo Pinali Doederlein]

Yes, the comments on bug 83625 mimic my experience (even the range of Moz 
builds which have the bug is exactly identical to mine; I saw the bug on 
prerelease 0.9.1 nightlies too).  I guess it should be closed as dup.

Comment 6

[Darin Fisher]

*** This bug has been marked as a duplicate of 83625 ***

Comment 7

[Matthias Versen [:Matti]]

verified dupe
(QA: Please tell me if you don´t want that I verify dupes)

Comment 8

[benc]

-> cookies

Matt, I do the networking components, and I don't mind. For duplicates, my
criteria is that you match the underlying problem of the dupe to the original.
Sometimes things get duped by Summary, ("mozilla gave very common error
message") when the actual causes are different.

Then again, nobody is perfect, I dupe stuff and go back and un-dupe it once I
realize they were not the same. If you are not confident, you can add a brief
note describing why you makred it a dupe.

Thanks for your help!

Comment 9

[Darin Fisher]

reopening per comments from the original reporter:

> Darin,
> 
> Thanks for submitting a bug report. I checked on the
> status this morning. It says, this is a duplicate of
> bug #83625. Well, the symptoms do not look the same.
> Bug 83625 has been closed as FIXED with build
> 2001-06-13-09-trunk. I tried with 2001-06-15-09 (Linux),
> and the problem persists. I feel these two bugs have
> different causes.
> 
> Here is a piece of captured network packets for your
> assistance:
> 
> <--- Request ?->
> GET /TEST/AuthTest HTTP/1.1
> Host: abc.dnsdhcp.provo.novell.com
> User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.18pre21 i686, en-US; rv:0.9.1+)
Gecko/20010615
> Accept: text/xml, application/xml, application/xhtml+xml, text/html, q=0.9 ...
> Accept-Language: en-us
> Acept-Encoding: gzip,deflate,compress,identity
> Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
> Keep-Alive: 300
> Connection: keep-alive
> 
> <--- Response ?->
> HTTP/1.1 401 Authorization Required
> Date: Fri, 15 June 2001 21:50:30 GMT
> Server: Apache/1.3.20 (Win32)
> Set-Cookie: authtest=AAAAAAAAAAA=; path=/TEST
> WWW-Authenticate: Basic realm="TEST"
> Keep-Alive: timeout=15, max=100
> Connection: keep-alive
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> 
> <--- Request ?->
> GET /TEST/AuthTest HTTP/1.1
> Host: abc.dnsdhcp.provo.novell.com
> User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.18pre21 i686, en-US; rv:0.9.1+)
Gecko/20010615
> Accept: text/xml, application/xml, application/xhtml+xml, text/html, q=0.9 ...
> Accept-Language: en-us
> Acept-Encoding: gzip,deflate,compress,identity
> Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
> Keep-Alive: 300
> Connection: keep-alive
> Authorization: Basic asZq5uiX3ZiiksKlVzdB==
> 
> 
> NOTE: Cookie is absent in the Authorization request. I confirmed
> in the cookie manager that "authtest" is set to "AAAAAAAAAAA=".
> 
> Hope this helps.
> 
> Thanks,
> -Indraneel

Comment 10

[Darin Fisher]

i know what the problem is -> Networking:HTTP

Comment 11

[selmer (gone)]

Please update the status whiteboard with your eta.

Comment 12

[Darin Fisher]

Attachment: v1.0 http patch

Comment 13

[Darin Fisher]

Attachment: v1.0 cookies patch

Comment 14

[Darin Fisher]

http patch:
 - make sure we call OnExamineResponse for every HTTP response.
 - make sure we call OnModifyRequest before attempting to authenticate.

cookies patch:
 - make sure we clear any existing Cookie header before setting a new Cookie
   header.  otherwise, http would attempt to concatenate the new cookies with
   the old/existing ones.

Comment 15

[Gagan]

r=gagan

Comment 16

[Darin Fisher]

dougt says "sr="

Comment 17

[chris hofmann]

a=chofmann

Comment 18

[Darin Fisher]

fix checked in.

Comment 19

[benc]

Can we get an update from the reporter? Does this happen post patch?

Comment 20

[Tom Everingham]

no response in 3 months so I am assuming this is fixed, please re-open if this
problem still occurs