Comment #3 on issue 6450 by sant9442: Cookies set during a 401 are not applied to the restarted transaction http://code.google.com/p/chromium/issues/detail?id=6450
Hi, Just a follow up on this new issue. Below is a collection of transactions. Here are the summary questions and comments: In T9, the /LOGOUT request is made and the T10 response is 403. Should CHROME invalidate the Authorization at this point? If so, should Chrome send an Authorization: header with any subsequent page tag references <link>, <img>, <script>, XHR (ajax), etc as in T11 with the /public/styles.css link request? I could be wrong, but somehow I sense a "security issue." I have to jot a to-do note to see how other browsers had behaved here. Finally, I think I see a "work-around" for HTTP DIGEST. We can make the web server check the digest Authorization: header for the a nc=00000001 (count 1) and use this as an override for the an cookie sessionid=signedoff still be present. So in T22, we can accept the new login. This might be a general technical note for Chrome for web sites using Digest to consider using nc= as part of their scheme. Overall, the real question (as much as Chrome should be concerned) is whether Chrome should invalidate the BASIC/DIGEST Authorization once a 401, 403 is issued, especially 401 with a new WWW-Authenticate: header. o Transactions: ********** LOGIN *************** ------- Request (T1) ----------- GET /login?mode=html HTTP/1.1 Cookie: wcbbs=Santronics Research ------- Response (T2) ---------- HTTP/1.1 401 Unauthorized - user not logged in Set-Cookie: sessionid=41F9ECEC; mode=html; path=/ WWW-Authenticate: Digest ... ------- Request (T3) ----------- GET /login?mode=html HTTP/1.1 Authorization: Digest ... nc=00000001 Cookie: wcbbs=Santronics Research ------- Response (T4) ---------- HTTP/1.0 302 found Location: http://beta.winserver.com/ Set-Cookie: mode=html; path=/ ------- Request (T5) ----------- GET / HTTP/1.1 Authorization: Digest ... nc=00000002 Cookie: wcbbs=Santronics Research; sessionid=41F9ECEC; mode=html ------- Response (T6) ---------- HTTP/1.0 302 found Location: http://beta.winserver.com/default.wct ------- Request (T7) ----------- GET /default.wct HTTP/1.1 Authorization: Digest ... nc=00000003 Cookie: wcbbs=Santronics Research; sessionid=41F9ECEC; mode=html ------- Response (T8) ---------- HTTP/1.0 200 OK ********** LOGOUT *************** ------- Request (T9) ----------- GET /logout HTTP/1.1 Authorization: Digest ... nc=00000006 Cookie: wcbbs=Santronics Research; sessionid=41F9ECEC; mode=html ------- Response (T10) --------- HTTP/1.0 403 Logging out - Closing Brower Request Set-Cookie: sessionid=signedoff; path=/ ------- Request (T11) ----------- ??? SHOULD IT SEND AUTHORIZATION ??? GET /public/styles.css HTTP/1.1 Authorization: Digest ... nc=00000007 Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T12) ---------- HTTP/1.0 304 Not Modified ------- Request (T13) ----------- ??? SHOULD IT SEND AUTHORIZATION ??? GET / HTTP/1.1 Authorization: Digest ... nc=00000008 Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T14) ---------- HTTP/1.0 302 found Location: http://beta.winserver.com/public/default.wct ------- Request (T15) ----------- GET /public/default.wct HTTP/1.1 Authorization: Digest ... nc=00000009 Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T16) ---------- HTTP/1.0 200 OK ********** RE-LOGIN *************** ------- Request (T17) ----------- GET /login?mode=html HTTP/1.1 Authorization: Digest ... nc=0000000a Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T18) ---------- HTTP/1.1 401 Unauthorized - user not logged in Set-Cookie: sessionid=41FA0A67; mode=html; path=/ WWW-Authenticate: Digest ... ------- Request (T19) ----------- GET /login?mode=html HTTP/1.1 Authorization: Digest ... nc=00000001 Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T21) ---------- HTTP/1.1 401 Unauthorized - user not logged in Set-Cookie: sessionid=41FA0AA5; mode=html; path=/ WWW-Authenticate: Digest ... ------- Request (T22) ----------- GET /login?mode=html HTTP/1.1 Authorization: Digest ... nc=00000001 Cookie: wcbbs=Santronics Research; mode=html; sessionid=signedoff ------- Response (T23) ---------- HTTP/1.1 401 Unauthorized - user not logged in Set-Cookie: sessionid=41FA1043; mode=html; path=/ WWW-Authenticate: Digest ... ------- Request (T24) ----------- GET /public/styles.css HTTP/1.1 Cookie: wcbbs=Santronics Research; sessionid=41FA1043; mode=html ------- Response (T25) ---------- HTTP/1.0 304 Not Modified ******* AFTER CANCEL AND LOGIN CLICK ************* ------- Request (T26) ----------- GET /login?mode=html HTTP/1.1 Cookie: wcbbs=Santronics Research; sessionid=41FA1043; mode=html ------- Response (T27) ---------- HTTP/1.1 401 Unauthorized - user not logged in Set-Cookie: sessionid=4217C4B1; mode=html; path=/ WWW-Authenticate: Digest ... ------- Request (T28) ----------- GET /login?mode=html HTTP/1.1 Authorization: Digest ... nc=00000001 Cookie: wcbbs=Santronics Research; sessionid=41FA1043; mode=html ------- Response (T29) ---------- HTTP/1.0 302 found Location: http://beta.winserver.com/ Set-Cookie: mode=html; path=/ ------- Request (T30) ----------- GET / HTTP/1.1 Authorization: Digest ... nc=00000002 Cookie: wcbbs=Santronics Research; sessionid=4217C4B1; mode=html ------- Response (T31) ---------- HTTP/1.0 302 found Location: http://beta.winserver.com/default.wct ------- Request (T32) ----------- GET /default.wct HTTP/1.1 Authorization: Digest ... nc=00000003 Cookie: wcbbs=Santronics Research; sessionid=4217C4B1; mode=html ------- Response (T33) ---------- HTTP/1.0 200 OK -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
