[Webkit-unassigned] [Bug 37989] Webkit based browsers do not supply credentials properly with Apache basic authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 22 14:55:56 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=37989
--- Comment #2 from bugs at bsc.gwu.edu 2010-04-22 14:55:56 PST ---
Mark,
I absolutely agree that if there was something obvious wrong with basic
authentication, it would have been noticed. The problem is that it is not
obvious. Let me elaborate...
First, let me say that I do not use or have not downloaded a webkit based
browser to do extensive testing myself. Perhaps I will do that. But I do know
as a fact that the problem appears in various browsers all of which are webkit
based. For example, on my Google G1 phone, I have the same problem.
The reason the problem is not apparent is two fold. One reason is that the
browser does not always send a request without the credentials. Most of the
time it does but something at some point triggers it to stop sending the uID/PW
with some of the requests. The other reason why it has not been reported more
often is that perhaps all sites that use basic authentication for login do not
have any additional monitoring for failed logins. What I am trying to say is
the following. Let's assume that out of 100 requests from the client, 80 of
them did not include the credentials on the request. The result of this would
be 80 server responses with a 401 HTTP result code. The only place you can see
this in is in the server logs. The client does not see any problems or
prompts. It just happens behind the scenes. Unless you monitor the server
logs for 401 errors, you won't see this. I have seen a few similar complaints
while using google to search the web.
The reason this is affecting my site is because I have tools that actively
monitor the Apache logs for 401 errors. This is how I found out there was a
problem. This happens on multiple servers on using various applications. For
example we have java based applications behind a basic authentication
Apache/Tomcat server. I also see this on a Horde/IMP webmail server that is
PHP based. The client connects, does the initial apache basic authentication
and after a short time, lots of request begin coming in from the client without
the client credentials.
If you would let me know how or what type of additional information I can
provide you, I will be happy to do so.
Thanks
(In reply to comment #1)
> In my testing HTTP basic authentication has functioned exactly as I would
> expect. I tested using
> <http://www.he.net/~jdoe/info/htaccess/example/restricted.html> with the
> username “john” and password of “orange”. Safari correctly prompts for
> credentials and the page is displayed when they are entered. If basic
> authentication was broken in general it would certainly have been noticed
> already, which indicates that any problem you’re seeing is somehow specific to
> your environment. You’ll need to provide more information for us to be able to
> investigate this issue. Please provide a URL that can be used to reproduce the
> problem that you describe.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list