ARTICLE AD BOX
I've been debugging for several hours an issue with one of my web applications that actually seems to be browser-dependent.
The issue was that if a user logged in with the "wrong" credentials initially, the user may want to re-authenticate later. This may not happen immediately, since the credentials obtained are passed to another server, i.e. the server won't immediately 401 if the credentials aren't correct.
I can test this easily by providing bogus credentials the first time I authenticate and get the Basic Authentication popup. The application, after noticing the first request has failed, will prompt for credentials again on the next request. At this point, I get another basic auth prompt. At this point, no matter what I enter, the credentials sent to the server are the original username/password provided initially - but only in Chrome (and any Chromium-based browsers1).
In contrast, when I try this in Pale Moon, it works as expected. Each time I get a Basic Auth prompt and re-enter credentials, the new credentials are sent by the browser to the web server.
One thing I tried was adding a random string to the Basic Auth realm, which in theory should tell the browser this is a different realm every time it asks for Basic Authentication. However, this didn't make any difference.
Surprisingly, even immediately responding with a 401 on every request and repeatedly reprompting for credentials, the first credentials still seem to be "sticky" and get sent over and over again, regardless of what the user enters after that:
if (!isset($_SERVER['PHP_AUTH_PW']) || $_SESSION['bauth']['reprompt'] == 2) { $_SESSION['bauth']['reprompt'] = 0; /* Reset */ $_SESSION['bauth']['realm'] = "myrealm " . time(); header("WWW-Authenticate: Basic realm=\"" . $_SESSION['bauth']['realm'] . "\""); header("HTTP/1.1 401 Unauthorized"); echo "Re-enter credentials"; } else { error_log("User: " . $_SERVER['PHP_AUTH_USER'], 0); if ($_SERVER['PHP_AUTH_USER'] !== "done") { $_SESSION['bauth']['reprompt'] = 0; /* Reset */ $_SESSION['bauth']['realm'] = "myrealm " . time(); header("WWW-Authenticate: Basic realm=\"" . $_SESSION['bauth']['realm'] . "\""); header("HTTP/1.1 401 Unauthorized"); echo "Re-enter credentials"; } }I was using PHP_AUTH_USER and PHP_AUTH_PW initially to observe this, but as part of debugging, decoded the raw Authorization HTTP header and confirmed what the browsers were sending.
The only "fix" is to close the browser entirely and re-open, at which point the problem will just repeat. Chrome will take the first credentials provided and run with it forever, ignoring any credentials provided on future Basic Auth attempts during that session - even if the realm changes.
Strangely, I haven't come across anyone having exactly this issue, so I'm not sure if it's a browser bug, although there are similar questions about things working in Firefox-based browsers but not Chrome-based ones. Either way, since the browser is outside of my control, is there any way I might try to work around this from the application side, to mitigate the issue for Chrome?
1 Multiple browsers (Chrome, Supermium), multiple versions on multiple machines.
