Bug 42717

Summary: A wrong password entered for site or proxy auth remains in WebCore credential storage, and is sent with subsequent requests
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: Page LoadingAssignee: Alexey Proskuryakov <ap>
Severity: Normal CC: abarth, beidson, eric, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Description Flags
proposed fix darin: review+

Description Alexey Proskuryakov 2010-07-20 16:50:16 PDT
Credentials are never removed from WebCore credential storage, which has at least two downsides:
- if the remembered credentials are wrong, they will be sent with future requests, doubling server-side incorrect login counts;
- implementing logout by returning 401 in a response to valid credentials doesn't work. Note that this is not the best way to log out though, since an auth dialog will appear, which the user will have to cancel.

Comment 1 Alexey Proskuryakov 2010-07-20 16:54:37 PDT
Created attachment 62134 [details]
proposed fix
Comment 2 Darin Adler 2010-07-20 17:15:14 PDT
Comment on attachment 62134 [details]
proposed fix

Is there a race in the “storing a new credential” case was well as in the removal case? I ask because your comment in removal seemed to offer no reason this was specific to removal.
Comment 3 Alexey Proskuryakov 2010-07-20 17:31:07 PDT
The credentials are stored when they become known (and re-stored as default for directory when used). If a race condition happens there, it's really a bug in Web site code, we can do nothing to fix it.

In contrast, we could store ResourceHandle "current credential" to make sure that we're not removing a different one.
Comment 4 WebKit Review Bot 2010-07-21 10:06:36 PDT
http://trac.webkit.org/changeset/63834 might have broken GTK Linux 32-bit Release
Comment 5 Alexey Proskuryakov 2010-07-21 10:21:46 PDT
Yes, committed in <http://trac.webkit.org/changeset/63834> with follow up fixes in <http://trac.webkit.org/changeset/63836>.