Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Browser not sending `Authorization` header set on deep url to root url

Tags:

http

basic-authentication

When I ask user for HTTP Basic Auth at some URL, browser sends Authorization header only for this and some other URLs.

Testcase script written in PHP: http://testauth.veadev.tk/

There are three URLs to ask for credentials (you can use any random). Logout link (drops current credential after pressing "Cancel" button in browser auth form, not working in IE). Links to root URL and some test deeper URLs.

Questions:

  1. Why browser not sending Authorization header at / URL if HTTP/1.0 401 Unauthorized was sent at /system/dev? To repeat: open clean http://testauth.veadev.tk/, click Auth2, enter any credentials, you'll be forwarded to / after that. You'll see Auth: null which means no credentials header was sent by browser.

  2. Why does browser send Authorization header at / if HTTP/1.0 401 Unauthorized was sent at /dev? To repeat: open clean http://testauth.veadev.tk/, click Auth1, enter any credentials, you'll be forwarded to / after that. You'll see something like Auth: string 'Basic dHQ6dHQ=' (length=14) which means credentials header was sent by browser.

  3. If you repeat first case and then click Auth1 you'll have credentials at Root and all other pages. Why?

  4. If you click Auth3 (/some/deep/and/long/url) and you'll have credentials at Page3 (/some/deep/and/long/3) and nowhere else. Why?

To clear credential state between tests either restart your browser or click Logout, Cancel in Auth form and Root to return back (Firefox, Google Chrome).

What are the rules of sending Authorization header?

like image 381
vearutop Avatar asked Nov 11 '22 10:11

vearutop

1 Answers

RFC 2617, section 2 states:

A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server.

If you are using Digest Challenge, section 3.2 states that you may specify a domain in the WWW-Authenticate header to indicate what the protection space will be. I would try setting that to something like domain=/. I am not sure if this will work with Basic authorization, but it wouldn't hurt to try it; if not, Digest authorization is not much more difficult to work with and is a bit more secure.

like image 180
Michael Avatar answered Nov 15 '22 06:11

Michael
Sign in to Comment

Related questions

Lightweight web authentication for embedded system
XmlHttpRequest denied by Access-Control-Allow-Origin even though origin matches perfectly
What's the most efficient ETag generation given the following possibilities?
Url encoding not supported
Should I use the Content-Location header this way?
How can I support SSL and non-SSL traffic on the same port using TIdHTTPServer and OpenSSL?
Can i use org.apache.http.client.HttpClient in google app engine?
Ruby HTTP post with session cookie
Http 1.1 protocol validation
Is it possible to match on PATCH requests in Happstack?
Detecting HTTP connection closure in Rails
HTTP streaming / chunked responses on Heroku with clojure
Website security testing shows Response.Redirect as being vulnerable to an attack
Why Javascript upload chunk sizes change by browser?
Is there an alternative to parse_qs that handles semi-colons?
Socket reading using BufferedInputStream
ASP.NET WebApi - how do I post a collection to a WebApi method?
Selenium Python - Get Network response body
What exactly does "every SSL certificate requires a dedicated IP" mean?
How is HttpContext TraceIdentifier generated in .NET Core?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!