Comment #17 on issue 1629 by sant9442: HTTP BASIC and DIGEST Authentication
not passed once login takes place
http://code.google.com/p/chromium/issues/detail?id=1629
I guess I spoke too soon <g>
I did further testing and what I found is that after a logout and
another attempt to login, Chrome continues to remember previous
credentials when it should not when the server response is:
response code: 401
with new WWW-Authenticate: header
o Duplicating the problem:
Step 1: To see what I am talking about, go to the test site provide in
the initial comment:
http://beta.winserver.com
and login (click Login Using Browser button) with the credentials:
User Name: ChromeTester
Password: ChromeTester
The new HTTP stack layer in the dev version (with --new-http switch)
properly passes the credentials on the redirected private home page. So
the original HTTP BASIC/DIGEST issue is resolved.
Step 2: Now log off and you will see the log off page.
Step 3: Click the Home to take you back to the public login page.
Step 4: Repeat the login and Chrome will ask for the credentials, which
if saved, should be auto-filled in.
However, when you click OK, the Login POPUP appears again, again, again,
again.
The only way to resolve this is to literally close the browser.
o Analysis:
Ok, overall, one of the long time beefs with using IETF standard HTTP
BASIC/DIGEST authentication methos is that the protocol designers never
provided a way to "Logoff" or have an official standard programmatic
method to tell the browser to release the credentials.
The only way was to tell the user to CLOSE the browser, or if the user
was using IE, an ActiveX can be installed to release the credentials
in the WINNET.DLL inteface.
Thus, this was one main impetus the web intranet industry provided
non-standard cookie-based HTML form display login and logout methods.
However, there are methods that is followed by all the browser and this
is combine HTTP AUTH with a cookie which tell the browser the state of
the login or logout. If the user has cookies disabled, then the only
way to effectively release the credentials is to tell the user to
close the browser.
In short, the cookie status allows the server to determine when the
request Authorization: header is no longer valid and this allows the
server to respond with:
response code: 401
with new WWW-Authenticate: header
All browser honor this and release the previous previous credentials and
will prompt for new ones.
Chrome does not.
I think the simple fix is that if Chrome sees a 401 with a
WWW-Authenticate header, it should clear the previous credential, thus
allowing it to start a new login proceess.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
