42717 – A wrong password entered for site or proxy auth remains in WebCore credential storage, and is sent with subsequent requests

RESOLVED FIXED Bug 42717

A wrong password entered for site or proxy auth remains in WebCore credential storage, and is sent with subsequent requests

https://bugs.webkit.org/show_bug.cgi?id=42717

Summary A wrong password entered for site or proxy auth remains in WebCore credential...

Alexey Proskuryakov

Reported 2010-07-20 16:50:16 PDT

Credentials are never removed from WebCore credential storage, which has at least two downsides: - if the remembered credentials are wrong, they will be sent with future requests, doubling server-side incorrect login counts; - implementing logout by returning 401 in a response to valid credentials doesn't work. Note that this is not the best way to log out though, since an auth dialog will appear, which the user will have to cancel. <rdar://problem/7062824>

Attachments
proposed fix (16.14 KB, patch) 2010-07-20 16:54 PDT, Alexey Proskuryakov	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2010-07-20 16:54:37 PDT

Created attachment 62134 [details] proposed fix

Darin Adler

Comment 2 2010-07-20 17:15:14 PDT

Comment on attachment 62134 [details] proposed fix Is there a race in the “storing a new credential” case was well as in the removal case? I ask because your comment in removal seemed to offer no reason this was specific to removal.

Alexey Proskuryakov

Comment 3 2010-07-20 17:31:07 PDT

The credentials are stored when they become known (and re-stored as default for directory when used). If a race condition happens there, it's really a bug in Web site code, we can do nothing to fix it. In contrast, we could store ResourceHandle "current credential" to make sure that we're not removing a different one.

WebKit Review Bot

Comment 4 2010-07-21 10:06:36 PDT

http://trac.webkit.org/changeset/63834 might have broken GTK Linux 32-bit Release

Alexey Proskuryakov

Comment 5 2010-07-21 10:21:46 PDT

Yes, committed in <http://trac.webkit.org/changeset/63834> with follow up fixes in <http://trac.webkit.org/changeset/63836>.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component Page Loading

Assignee

Alexey Proskuryakov

Reported

2010-07-20 16:50 PDT

Modified

2010-07-21 10:21 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks