Issue metadata
Sign in to add a comment
|
Chrome stores/sends the HTTP Auth headers on second HTTP 401 timeout pop-up
Reported by
harishre...@ymail.com,
Jun 13 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 Steps to reproduce the problem: 1. Login to application 2. Wait for timeout to get HTTP 401 3. Chrome challenges a 401 basic authentication popup 4. Enter the valid credentials and login 5. Again wait for timeout to get HTTP 401 (on this HTTP request security authorization values are already present which were entered on first timeout) 6. Due to 5 - Even if you click cancel/cross-mark on second 401 pop-up, Chrome sends the previously entered authorization headers and server responds positively. 6. User just gets reauthenticated even on click of cancel 6. What is the expected behavior? On second time-out, Chrome shouldn't store/cache the previously entered credentials for 401 HTTP request. This isn't observed in IE. For every subsequent 401 time-out What went wrong? Chrome stores/cache the login credentials entered on first HTTP 401 authentication pop-up. Therefore, for the same user on second time-out HTTP 401 request is already having the security authorization headers, due to this even on click on cancel/cross-mark on auth pop-up server responds positively and re-authenticates the user. On first timeout HTTP 401 doesn't contain any auth headers, hence on click of cancel chrome re-challenges with the same pop-up. But for second time-out this isn't happening. IE behaves correctly. This is a security risk at your end. Did this work before? N/A Chrome version: 51.0.2704.84 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 21.0 r0 As IE doesn't store/cache auth headers, click of cancel on second http 401 auth pop-up, IE continue to re-prompts authentication pop-up unless valid credentials are entered.
,
Jun 13 2016
Related to Issue ID 72589 and 5497 ? We are also looking for a way to invalidate the http auth credentials when receiving a 401 HTTP with previously entered valid credentials on first 401 HTTP.
,
Jun 13 2016
harishreddyg -- Can you describe how this is a security risk, rather than just a user-experience bug? asanka -- Who on network team should look at this?
,
Jun 14 2016
nparker - Didn't knew about the classification at your end it may be a different category bug. As chrome is storing the Security Auth headers, on second timeout HTTP 401 is fired and gives the pop-up. As this request is already having the security auth headers from the first timeout challenge, just clicking cancel/refresh will re-authenticate user. It's a security issue and doesn't happen on IE. Can refer to the attachment containing HTTP traces and actual fiddler log. please let us know if you are looking any information. Can you please assign it to right member. Appreciate your help in this regards.
,
Jun 14 2016
Yeah. That would be me. I'll have a look shortly.
,
Jun 14 2016
I'm marking this as Low severity because IIUC the browser is sending credentials to the server that were already sent in the first request, so I think the security risk is fairly small. Please let me know if I'm misunderstanding.
,
Jun 15 2016
Thanks Asanka! est..@chromium.org - Correct, browser is sending credentials to server even on click of cancel/cross on second timeout unauth 401 pop-up When the business user leave the system idle for the second time, any passing by user can click cancel/cross mark to get re-authenticated. It's high-security risk atleast for us. Bt keeping view of this Chrome's default functionality, you can make it security_sev to Medium to work this further. Appreciate your help.
,
Jun 16 2016
Sorry about the delay. Could you send me a net-internals log as described in https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details ? I'd like to see what requests are being issued and the outcome of each.
,
Jun 22 2016
asanka - captured and attached the net-internals as requested. Followed replication steps 1. Logged in to my application 2. Started Chrome net-internals event capturing. 3. Waited for 30+ seconds timeout to get HTTP 401 Auth pop-up 4. Provided valid credentials. 5. Waited again for 30+ seconds for second timeout to get HTTP 401 Auth pop-up. 6. Now, I didn't provide any credentials. Just clicked on cancel button. 7. I am able to re-authenticate and access the application 8. Stopped Chrome net-internals event capturing.
,
Jun 22 2016
Part of the problem is that the server is switching realms between authentication challenges. Chrome supports sending pre-emptive authentication headers as described in RFC 7617 Section 2.2. However, the semantics for invalidating credentials where the rejection is accompanied by a realm change is less clear. If the server rejects pre-emptive authentication with a challenge from a different realm, Chrome elects to keep the older credentials around until new credentials are available for the new realm. In your case, since no new credentials are available, a subsequent request within the same protection space will use the older cached credentials again. This behavior is spec compliant. If your intention is to invalidate the previous set of credentials, then consider using the same realm for subsequent challenges. That is an unambiguous signal that the older credentials should no longer be used. Sending credentials that were known to be valid to the same server while accessing the same path during the same browsing session is not a security vulnerability. That's something specifically allowed and encouraged for some schemes where it's dependent upon to reduce the number of roundtrips used for accessing authenticated resources.
,
Jun 23 2016
Asanka - Thanks for your analysis and sharing the RFC details. We have few questions in here. 1. Chrome will not send pre-emptive authentication headers if we have the same realm for subsequent challenges ? 2. If yes, can you please explain/help us on how to prevent realm change at server level on this use-case? (we are completely unaware of realms part, it would be great if you share some info) 3. This doesn't occur on IE, does it mean that most likely IE don't support/adhere RFC 7617 section 2.2? We will look for your response.
,
Jun 23 2016
#11: 1. If Chrome sends pre-emptive authentication headers to a server, and the server responds with a 401 challenge using the same realm, then Chrome assumes that the credentials supplied were incorrect. If the realm is different, then Chrome can't come to the same conclusion, so it retains the previous set of credentials. If you would like Chrome to discard an older set of credentials, then you can respond with a challenge using the same realm. If the user doesn't respond to the challenge, then Chrome won't use pre-emptive authentication for that protection scope (server + path) since it no longer has a valid set of credentials. 2. Can't help with server configuration. Sorry. I don't know of any server that by default changes the realm every now and then like yours is doing. 3. RFC 7617 Section 2.2 allows a UA to send a pre-emptive authorization header. It doesn't require it, and doesn't clearly define the behavior following a challenge that uses a different realm. Since the credentials are associated with a protection space (defined by the realm), a challenge for a new realm doesn't invalidate the credentials for the previous realm. IE and Chrome differ in that once a challenge is received for a different realm for the same authentication scope, IE seems to assume that the older protection space is no longer valid, while Chrome doesn't. There's no spec violation as far as I know since the spec doesn't define what should happen in this case.
,
Jun 24 2016
Thanks for the explanation. Can you please change the category of this issue so that I can share this link with my stakeholders containing the analysis. Just wanted to make it visible so that I can share this item details. Appreciate your help.
,
Sep 29 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted