56716 2011-03-19 14:40:10 -0700 Authorization header broken after 302 redirect 2024-10-17 13:23:29 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Mac (Intel) OS X 10.6 UNCONFIRMED https://bugs.webkit.org/show_bug.cgi?id=239944 InRadar P2 Normal --- 0 tuupola webkit-unassigned ap tom oldest_to_newest 370170 0 tuupola 2011-03-19 14:40:10 -0700 Authorization header is broken after 302 redirect if you do a page reload immediately after redirect. When doing the reload header looks like this: Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0 when it should be like this: Authorization: Basic dGVzdDp0ZXN0 Example code which reproduces the problem together with tcpdump of all headers can be found at: https://gist.github.com/874847 Open the page. Login with test and test. Reload a few times. Page loads fine. Then click the link which make 302 redirect back to original page. Now when you reload it asks for username and password again. If you check the logs you can see credentials are now broken. There is also another test page at http://www.appelsiini.net/bugs/safari_auth/ (user: test, password: test). However Apache can recover from broken header and does not ask for password again. If you sniff the traffic you can still see the broken header. Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4) and latest Webkit Nightly 5.0.3 (6533.19.4, r80833). 370252 1 ap 2011-03-20 18:17:25 -0700 <rdar://problem/9160498>