[Webkit-unassigned] [Bug 56716] New: Authorization header broken after 302 redirect

Sat Mar 19 14:40:10 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=56716

           Summary: Authorization header broken after 302 redirect
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tuupola at appelsiini.net

Authorization header is broken after 302 redirect if you do a page reload immediately after redirect. When doing the reload header looks like this:

Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0

when it should be like this:

Authorization: Basic dGVzdDp0ZXN0

Example code which reproduces the problem together with tcpdump of all headers can be found at: https://gist.github.com/874847 

Open the page. Login with test and test. Reload a few times. Page loads fine. Then click the link which make 302 redirect back to original page. Now when you reload it asks for   username and password again. If you check the logs you can see credentials are now broken.

There is also another test page at http://www.appelsiini.net/bugs/safari_auth/ (user: test, password: test). However Apache can recover from broken header and does not ask for password again. If you sniff the traffic you can still see the broken header.

Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4) and latest Webkit Nightly 5.0.3 (6533.19.4, r80833).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.