Bug 28244 - Logout doesn't work for some sites
Summary: Logout doesn't work for some sites
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
Depends on:
Reported: 2009-08-12 18:46 PDT by Tim McConnell
Modified: 2010-01-13 11:12 PST (History)
1 user (show)

See Also:

A Fiddler trace (can be opened as a ZIP) demonstrating Safari's loop. (736.27 KB, application/x-zip-compressed)
2009-10-02 17:56 PDT, Tim McConnell
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim McConnell 2009-08-12 18:46:10 PDT
On SharePoint and as demonstrated by many posts on the web, Safari has problem handling the logout process for many websites:

It appears as though Safari is not consistent about refreshing credentials for 401 responses or HTTP Connection: Close.

I was unable to find related bugs in the database.
Comment 1 Alexey Proskuryakov 2009-08-13 16:50:32 PDT
Two of these links are about Safari 3, one is about cookie-based authentication, and one lacks any technical detail.

That said, I do not quite understand what the first article (the most detailed) is talking about. Looks like the suggestion is to send 401 response when accessing a logout link - but that would result in an authentication dialog/sheet displayed in any browsers, won't it? That doesn't seem like acceptable UI anyway. What am I missing?
Comment 2 Alexey Proskuryakov 2009-08-13 16:54:11 PDT
And it is true that credentials aren't removed from credential storage when 401 is received. This code is new to Safari 4, as Safari 3 used a different implementation for credential storage.
Comment 3 Tim McConnell 2009-08-13 20:33:34 PDT
Thanks for the updates, Alexey. I apologize for the weak repro details, but I'm currently encountering these problems on internal sites that cannot be accessed from the internet. I'll continue to pursue a live repro.
Comment 4 Tim McConnell 2009-08-28 00:03:31 PDT
I believe that I have some more details.

The problem is that Safari falls into a tight loop of sending a callback, receiving a 401, repeating the callback, receiving a 401 etc. in some logout cases. 

It looks like Safari does not handle the absence of the Negotiate token in the header when called through XMLHttpRequest object. This has the side effect that Safari will not show the Password Prompt, and then infinitely repeat its request to the box because the response is 0 bytes long.
Comment 5 Alexey Proskuryakov 2009-08-31 16:12:11 PDT
This sounds like a possible problem beneath WebKit, as authentication schemes themselves are implemented in closed source Apple code. In such case, this needs to be reported via http://bugreport.apple.com, but it's difficult to be sure without a test case or other hard data.
Comment 6 Tim McConnell 2009-10-02 17:56:30 PDT
Created attachment 40560 [details]
A Fiddler trace (can be opened as a ZIP) demonstrating Safari's loop.

Here's a Fiddler trace that contains the behavior in Safari when the 401 fails. It seems that having Safari Save Credentials will cause this bug to stop reproing.

The server being tested for this trace (mainlatest) uses Windows NTLM integrated authentication.
Comment 7 Alexey Proskuryakov 2009-10-09 17:49:22 PDT
Could you please re-test with a nightly build <http://nightly.webkit.org> newer that 49410? There were some fixes to authentication behavior made recently, although I'm not holding my breath.
Comment 8 Tim McConnell 2010-01-13 11:06:42 PST
Alexey, this does appear to be fixed in 4.0.4, at least for the type of bug that we were seeing. I'll let you handle the final resolution steps.