NEW 41090
Synchronous XMLHttpRequest retries incorrect credentials indefinitely 
https://bugs.webkit.org/show_bug.cgi?id=41090
Summary Synchronous XMLHttpRequest retries incorrect credentials indefinitely
Stuart Ng
Reported 2010-06-23 11:51:14 PDT
Create XHR and open with username and password passed in. Server replies with 401 and Basic Authentication Scheme Instead of replying with Basic Authentication Scheme, NTLM Scheme was used and hence authentication always fails.
Attachments
PHP Script On Server to Simulate Basic Authentication (630 bytes, text/plain)
2010-06-23 16:17 PDT, Stuart Ng 		no flags
Details
Packet Trace from Microsoft Network Monitor (202.80 KB, text/plain)
2010-06-23 17:15 PDT, Stuart Ng 		no flags
Details
Actual Capture (1.21 MB, application/octet-stream)
2010-06-24 07:03 PDT, Stuart Ng 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-06-23 14:51:20 PDT
Could you please provide a test case? That's certainly the first time I hear about this problem - and we've got regression tests to verify that Basic auth works.
Stuart Ng
Comment 2 2010-06-23 16:17:34 PDT
Created attachment 59574 [details] PHP Script On Server to Simulate Basic Authentication
Stuart Ng
Comment 3 2010-06-23 16:20:00 PDT
I basically host the attached PHP script on an IIS. Then, I create an XHR request with the following: xhr.open('GET', 'secure.php', false, 'user', 'password'); xhr.send(); What I see: HTTP Get was sent without Authorization Header HTTP Response from PHP with 401 and Basic Authentication HTTP Get was sent again this time with Authorization, but using NTLM Authentication HTTP Response Again with 401 but with NLMP Authentication Basically the last two messages keep repeating until Network Error 101 was received on browser. This is reproduced for both sync and async mode.
Alexey Proskuryakov
Comment 4 2010-06-23 16:51:18 PDT
Thanks! Could you please also attach a wireshark <http://www.wireshark.org/> packet trace?
Stuart Ng
Comment 5 2010-06-23 17:15:44 PDT
Created attachment 59585 [details] Packet Trace from Microsoft Network Monitor
Stuart Ng
Comment 6 2010-06-23 17:16:46 PDT
Added new attachement with Microsoft Network Monitor Trace from Safari. This is the sync case, note the first HTTP 401 request Basic Authentication but than got respond in NTLM Authentication. The HTTP 401 pings pongs until the end when Network Error 101 was received on browser.
Alexey Proskuryakov
Comment 7 2010-06-23 18:07:04 PDT
> Added new attachement with Microsoft Network Monitor Trace from Safari. This trace isn't very helpful, because it doesn't include actual requests or responses. Wireshark can save those.
Stuart Ng
Comment 8 2010-06-24 07:03:52 PDT
Created attachment 59651 [details] Actual Capture
Stuart Ng
Comment 9 2010-06-24 07:04:40 PDT
I have attached the actual capture. You can download Microsoft Network MOnitor for free and open this file. Or you can use Wireshark. It contains the actual packet dump hope it helps.
Alexey Proskuryakov
Comment 10 2010-06-24 09:03:23 PDT
Here is what happens here: 1. The server responds with a list of supported authentication schemes: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="My Realm" 2. Safari chooses Negotiate, since it's the first one. 3. Authorization fails, since it goes to IIS own Negotiate handler which rejects the credentials you supply. It looks like a Safari bug that we retry with failed credentials indefinitely, I'm not yet sure if it's in WebKit or below. But the actual failure is a server side issue. Could you please verify that this only happens with sync XHR?
Stuart Ng
Comment 11 2010-06-24 09:54:06 PDT
Thanks! I turned off authentication processing on IIS for that particular folder, and everything works!
Note You need to log in before you can comment on or make changes to this bug.