RESOLVED INVALID 282508
Safari sends authentication headers multiple times. 
https://bugs.webkit.org/show_bug.cgi?id=282508
Summary Safari sends authentication headers multiple times.
teisho
Reported 2024-11-03 08:03:42 PST
Created attachment 473118 [details] Screenshot of Request with multiple authentication headers Nginx server logs: 2024/11/03 15:05:24 [info] 20326#100213: *3479 client sent duplicate header line: "authorization: Basic dGVpcxxxxxxxxxxxxxxxxxxxxxxxxx", previous value: "authorization: Basic dGVpcxxxxxxxxxxxxxxxxxxxxxxxxx" while reading client request headers, client: 2a09:xxx:xxxx:xxx::xx:xx, server: foo.bar.de, host: "foo.bar.de"
Attachments
Screenshot of Request with multiple authentication headers (110.80 KB, image/png)
2024-11-03 08:03 PST, teisho 		no flags
Details
Bug reproduction using httpbin.org (4.36 MB, application/octet-stream)
2024-11-06 10:50 PST, Chris Z 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2024-11-04 13:29:03 PST
Thank you for the report, this looks bad. It doesn't necessarily look like a WebKit bug though, web frameworks can also add Authorization. I've just tested with a website that uses Basic auth, and couldn't reproduce this. Could you please provide a way for us to reproduce this?
Chris Z
Comment 2 2024-11-06 10:50:31 PST
Created attachment 473154 [details] Bug reproduction using httpbin.org
Chris Z
Comment 3 2024-11-06 10:51:14 PST
I have also been affected by this issue in Safari 18.1. The simplest reproduction involves using two different authentication methods on the same site: 1. Open a tab and visit https://httpbin.org/basic-auth/user/password 2. Log in using "user" and "password" and select "Remember this password" 3. Open another tab and visit https://httpbin.org/digest-auth/auth/user/password 4. Log in using "user" and "password" and select "Remember this password" 5. Return to the first tab and refresh. You will receive 400 Bad Request from httpbin.org. Observe the request headers and see that both the Basic and Digest Authorization headers are sent. I have attached a video walking through this reproduction. Like teisho, I have also experienced repeated identical Basic authorization headers; this scenario is harder to reproduce but seems to be related to the above reproducible issue.
Alexey Proskuryakov
Comment 4 2024-11-06 14:35:00 PST
Thank you! The issue is most likely in underlying system frameworks below WebKit, Apple engineers will investigate.
Radar WebKit Bug Importer
Comment 5 2024-11-06 14:35:27 PST
<rdar://problem/139386086>
nkatsikanis
Comment 6 2024-12-16 15:48:56 PST
We also see a similar thing, authorisation has basic header repeated
Alexey Proskuryakov
Comment 7 2024-12-16 22:07:02 PST
This is expected to be fixed in iOS 18.3 seed 1 and macOS Sequoia 15.3 seed 1 that were made available today. Please test with these, and let us know how it goes! Marking as INVALID, as this turned out to be an issue outside WebKit indeed.
Note You need to log in before you can comment on or make changes to this bug.