[Webkit-unassigned] [Bug 37989] Webkit based browsers do not supply credentials properly with Apache basic authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 23 13:41:56 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=37989





--- Comment #8 from bugs at bsc.gwu.edu  2010-04-23 13:41:56 PST ---
(In reply to comment #7)
> I don't see anything wrong in the attached log. Basic credentials can be only
> sent preemptively for resources in the same (or deeper) directories as
> resources that were fetched with authentication before, see RFC 2617:
> 
>    A client SHOULD assume that all paths at or deeper than the depth of
>    the last symbolic element in the path field of the Request-URI also
>    are within the protection space specified by the Basic realm value of
>    the current challenge. A client MAY preemptively send the
>    corresponding Authorization header with requests for resources in
>    that space without receipt of another challenge from the server.
> 

I agree with the RFC and since these objects are under different directories, I
understand that the RFC states that the browser MAY preemptively send
credentials.  In fact, other browsers (firefox, IE, etc.) do. 


> In the log, there are no prior requests for /themes/graphics/nav or
> /themes/graphics, so we must send a request without credentials and get a 401
> challenge first.

My apologies.  I attached a small section of the log and therefore, it was not
clear that some objects had already been retrieved from the same directories. 
I have attached a new log that shows the entire transaction.  Please note for
example objects such as '/js/prototype.js' which is requested repeatedly.   

Also, this is a small example.  I recently had to change have the server send
an expiration header for image objects so that they are not repeatedly ask for.
 Otherwise, we would see repeated requests with and without credentials for
image type objects as well.  Please see new attached file.  Thanks.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list