MantisBT - NetSurf | |||||
View Issue Details | |||||
ID | Project | Category | View Status | Date Submitted | Last Update |
0002461 | NetSurf | Development | public | 2016-08-12 16:18 | 2016-08-14 13:03 |
Reporter | maribu | ||||
---|---|---|---|---|---|
Assigned To | |||||
Priority | normal | Severity | feature | Reproducibility | always |
Status | acknowledged | Resolution | open | ||
Platform | OS | OS Version | |||
Product Version | 3.5 | ||||
Target Version | Fixed in Version | ||||
Fixed in CI build # | |||||
Reported in CI build # | |||||
URL of problem page | |||||
Summary | 0002461: http Digest authentication not implemented (RFC 7616) | ||||
Description | When a web is opened that requires authentication using the http Digest authentication scheme as specified in RFC 7616 (https://tools.ietf.org/html/rfc7616), the user is asked to input her credentials. When the user has typed in user name and password and clicks on the "Login" button, wireshark registers two GET requests which both lack the Authorization header field and the user is asked again to input her credentials. I would expect netsurf to not ask the user for credentials and to display the 401 page instead, unless the server provides an authentication scheme and parameters that are supported by the browser. Otherwise the user will likely conclude that she has forgotten her password or wrongly typed in her credentials. Because of that the user might try to login again and again, but in fact there is no chance that the login will ever succeed because the authentication scheme is not supported by the browser. Also most web servers support http digest authentication (most seem to implement at the time of writing only the obsolete digest authentication specified in RFC 2617), so it would be great to have support for digest authentication in netsurf. I suggest to not implement RFC 2617 in favor of RFC 7616: RFC 7616 remains fully compatible to obsolete RFC 2617 digest implementations, but allows the use of much more secure hash functions if the server also supports them. | ||||
Steps To Reproduce | Open a website the requires authentication and only supports the http digest authentication scheme | ||||
Additional Information | Here is one request-response pair as recorded from wireshark. For each user input two requests and two responses are generated -------------------------------- | Request: Netsurf --> Server | -------------------------------- GET /secret.html HTTP/1.1\r\n Host: 127.0.0.1:12345\r\n User-Agent: NetSurf/3.5 (Linux)\r\n Accept: */*\r\n Accept-Encoding: gzip\r\n \r\n -------------------------------- | Response: Netsurf <-- Server | -------------------------------- HTTP/1.1 401 Unauthorized\r\n WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=SHA-256, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n WWW-Authenticate: Digest realm="users@test.org", qop="auth", algorithm=MD5, nonce="a489712bb9f0413cf90fb8d95ad1b1025ce62c384d2cfc30e784567a41949ada", charset=UTF-8, userhash=true\r\n Content-Type: text/html\r\n Content-Length: 92\r\n \r\n <html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>\n | ||||
Tags | No tags attached. | ||||
Relationships | |||||
Attached Files |
Notes | |||||
|
|||||
|
|
Issue History | |||||
Date Modified | Username | Field | Change | ||
---|---|---|---|---|---|
2016-08-12 16:18 | maribu | New Issue | |||
2016-08-12 17:50 | maribu | Note Added: 0001385 | |||
2016-08-14 13:03 | Vincent Sanders | Status | new => acknowledged | ||
2016-08-14 13:03 | Vincent Sanders | Summary | http Digest authentication not implemented (RFC 7252) => http Digest authentication not implemented (RFC 7616) |