Passing a username and a password for Basic Authentication is comfortable; But not if iOS Safari tells me to stay away from my website every time.
Example URL
http://bytecode77:123456#example-subdomain.bytecode77.com
Is there anything I can change in my code or webserver configuration to avoid such suspiciousness?
AFAIK, user credentials in URLs have been removed for security reasons
and no longer appear in the
protocol specs.
I read that Chrome and IE do not support that at all anymore.
Related
Need workaround for the following problem:
Summary:
See https://ecdip.ch/safaribug If https, a POST-request cannot be sent to target iframe.
Steps to Reproduce:
Go to https://ecdip.ch/safaribug
Log in DO NOT STORE IN KEYCHAIN
Try to send the form -> it works
Repeat 1 to 3 DO STORE IN KEYCHAIN -> form cannot be sent
Expected Results:
Sending the form (POST-request to hidden iframe) has to work if basic auth stored in keychain with https too.
Actual Results:
Sending the form (POST-request to hidden iframe) does NOT work with https when basic auth login stored in keychain
Version:
Bug exists in all version, OSX and Windows.
Notes:
The issues concerning http basic auth with Safari are discussed for years.
Configuration:
Does not occur in other browsers than Safari.
I am trying to obtain token for my UCWA app using passive auth. My setup is that once I receive the 401 challenge, I take the link to the token service from ms_rtc_passiveauthuri parameter and I visit this website (PassiveAuth.aspx) by creating a hidden iframe in the background of my website. Couple of redirects happen in that iframe but eventually I successfuly get the cookie and I proceed with creating the UCWA app.
This works nicely in IE, Chrome, Firefox and Opera, but Safari seems to refuse to do this redirections inside of that iframe.
I also tried to visit this token service by using the XFrame (and using helper library's Transport.clientRequest), but the result is 406 Not Acceptable.
Do you know about any workaround for Safari? Or, more importantly, is my approach correct - is this how it's meant to be used?
Thanks for any suggestion
Did you manage to work this out? I am having the same issues.
Edit : See the comments below for the answer - look out for the WWW-Authenticate and Www-Authenticate headers.
I have an asp.net website located on some server.
I try to login the website using IE10 compatibility mode, I fill user name and password, and when I press on the "Login" button, nothing happens. I get the login page again.
I checked with wireshark and found out that the cookie is not passed when redirecting from the login page.
I tried the workarounds from this post:
IE10 User-Agent causes ASP.Net to not send back Set-Cookie (IE10 not setting cookies)
I checked that the date and time of the server are equal to the date and time of the browser, and my server name doesn't contain non alphanumeric characters.
I tried changing the browser settings, restore to default and I tried with or without compatibility mode, but nothing helps!
(in chrome everything works fine and the cookie is passed).
Does someone have an idea about that?
Still cannot post comments...
You can always use cookieless="AutoDetect" to use Uri instead of cookies if it cannot set cookie. Some user may even deny all cookies, that is why all advertisements use only Uri mode.
Though it might result in share of Uri (easier than to share cookies) and if a user shouldn't be allowed to login from different places at once you'll need to revise your login logic.
I have an application in ASP.Net that use cookies for store some information.I want to open a form only first time when a user enter into the site.I created a cookie and I wrote something in that .The next time I enter the site, I read this information,if something is wrote in there that means that it's not necessary to open the form again.It works fine if I use the same browser, but if first I open with Internet Explorer the site ,I make the cookie , wrote something in it , I close the browser and then I open site with Mozzila Firefox the application can't see the cookie that i created with Internet Exlorer(the read cookie is null) .I create the cookie with Mozilla , i open application with Chrome , this also doesn't see the cookie.If I wrote something in the cookie with one browser , I can read this value only if i use the same browser. What should I do to see cookie content with all the browsers, to can read the cookie content with all browsers?
No! You can't and Check this question Can two different browser share on cookie?
That is not possible with regular cookies, what I know of. Each browser store and keep track of their own cookies, and does not share them.
I haven't tried it myself, but there are examples where Flash cookies and JavaScript are being used to create something like a cross-browser cookie.
I have an ASP.Net application where I am using Windows authentication to deny access to some components via roles. When using IE, the site pops up the "Authentication Required" box once, allows the user to enter their username/password for Active Directory, and all is fine.
HOWEVER, when using Firefox, it's "Authentication Required" box pops up, but when you click 'ok', it comes up again! It stays up a few dozen times! If you click cancel to all of them, it fails properly, denying access to the site. If you click cancel to all but 1 (Which you authenticate properly), it acts like you were properly authenticated.
My goal here is to have Firefox act like IE, and only ask the user once.
This forum post recommends updating your web.config to allow anon on WebResource.axd: http://forums.asp.net/p/1295804/2515478.aspx#2515478
Not ideal - I don't really understand WHY axd requests are behaving like this.
NOTE: NTLM requires keep-alive, if you install fiddler or firebug you should be able to see the "Connection: keep-alive" messages in the request header: http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication
you could get Firefox to behave exacylt like IE by adding the site to
about:config >>
network.automatic-ntlm-auth.trusted-uris
then firefox will use Windows Auth for the site
Maybe it would be best to redesign your login/authentication system such that authentication is asked only when the user first views/logs-in to the website (i.e. a login.aspx page) so that after that the users's credentials are cached throughout your website.