RESOLVED FIXED 100585
[BlackBerry] Browser prematurely sends wrong credentials 
https://bugs.webkit.org/show_bug.cgi?id=100585
Summary [BlackBerry] Browser prematurely sends wrong credentials
Charles Wei
Reported 2012-10-26 19:08:48 PDT
Internal tracking Number: 232027 Patch for bug 96362 (https://bugs.webkit.org/show_bug.cgi?id=96362) tried to address the problem that when the browser restarts, the user will be prompted for authentication again which has already been authenticated in the last browser session. The patch did it the wrong way: for each request to the server, even a new request that never been sent to the server and thus never been challenged by the server yet, it tries to get the credential from the persistent credential store and sends the credential to the server. This is not only error-prone, but also downgrades the performance. 1. It tries to get the credential from the persistent credential storage using only the URL, which is wrong. One URL might have multiple credentials, one for each realm. it's very possible that it will get the wrong credential just using URL. 2. It queries the persistent credential storage prematurely for each request, even though 99% requests won't be challenged at all. This is time consuming and downgrades the performance., The right solution to the problem described by bug 96362 has been resolved with bug : 100448 (https://bugs.webkit.org/show_bug.cgi?id=100448), which only queries persistent credential storage using the right information (URL, realm, etc.)only when challenged. Patch for 96362 should be reverted, but since so much has been changed since that patch, and a sheriffbot automated auto-revert failed. I come up with this bug and patch for manually revert.
Attachments
Patch (5.71 KB, patch)
2012-10-26 19:13 PDT, Charles Wei 		no flags
DetailsFormatted DiffDiff
Patch (1.94 KB, patch)
2012-10-31 21:11 PDT, Charles Wei 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Charles Wei
Comment 1 2012-10-26 19:13:38 PDT
Created attachment 171071 [details] Patch
Charles Wei
Comment 2 2012-10-26 19:32:32 PDT
Comment on attachment 171071 [details] Patch This patch is already internally reviewed by Joe Mason. Need an upstream reviewer to approve it.
Charles Wei
Comment 3 2012-10-26 21:34:33 PDT
Comment on attachment 171071 [details] Patch commit.
WebKit Review Bot
Comment 4 2012-10-26 23:01:00 PDT
Comment on attachment 171071 [details] Patch Clearing flags on attachment: 171071 Committed r132722: <http://trac.webkit.org/changeset/132722>
WebKit Review Bot
Comment 5 2012-10-26 23:01:04 PDT
All reviewed patches have been landed. Closing bug.
Charles Wei
Comment 6 2012-10-31 21:09:31 PDT
Except the patch above, which only prevents the browser from sending the credentials from persistent credential storage, we should also prevent the browser from sending the in-memory credentials before been challenged. Because sending credentials before been challenged is not only a security concern, but also error-prone because the server might support multiple schemes, we should always use the scheme that has highest security instead of the BASIC; Also it's very possible it's redundant to send the credentials, because most of the servers will remember the client by cookies, the client can just send the request with the right cookies, and the server won't challenge the client at all.
Charles Wei
Comment 7 2012-10-31 21:11:25 PDT
Created attachment 171765 [details] Patch
Joe Mason
Comment 8 2012-10-31 21:31:53 PDT
Comment on attachment 171765 [details] Patch lgtm
Charles Wei
Comment 9 2012-11-01 06:42:21 PDT
Comment on attachment 171765 [details] Patch commit.
WebKit Review Bot
Comment 10 2012-11-01 06:47:40 PDT
Comment on attachment 171765 [details] Patch Clearing flags on attachment: 171765 Committed r133156: <http://trac.webkit.org/changeset/133156>
WebKit Review Bot
Comment 11 2012-11-01 06:47:44 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.