Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Этот сайт имеет ограниченную функциональность, пока мы проводим техническое обслуживание для улучшения его работы. Если какая-либо статья не решила вашу проблему и вы хотите задать вопрос, наше сообщество поддержки ждёт вас: @FirefoxSupport в Твиттере и /r/firefox на Reddit.

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Подробнее

Firefox sends credentials in HTTP header to Apache2 for any subdirectory

  • 1 ответ
  • 1 имеет эту проблему
  • 19 просмотров
  • Последний ответ от cor-el

more options

Hello,

on an Apache 2.2 httpd I have configured a named virtual host like https://example.com:4711

This virtual host contains 2 reverse proxies for the /i/ and /apex/ subdirectories used for Oracle Application Express. In addition to this there is a subdirectory named /docs for some static documents which are independent from Oracle APEX.

Within the Apache virtual host configuration the /docs directory is password-protected using the directives "AuthType Basic" and "AuthName MyDir" inside a <Directory ...> section - this is working fine so far.

However, when being authenticated for the /docs directory, the credentials are also sent when requesting /apex/ or /i/ URLS - thus disturbing the Oracle APEX Authentication (which uses cookies). Doing some monitoring with Wireshark (after switching off SSL temporarily) shows that the credentials for the "MyDir" realm are sent in the HTTP header not only for /docs but just for every directory. After clearing the "Active Logins" the APEX login works fine again.

Tested with FF 60 ESR (as well as with old FF 45.9 ESR).

Is there any means to prevent this behaviour, i.e. that users do not have to clear "Active Logins"? Any help will be greatly appreciated.

Thanks in advance, Markus

Hello, on an Apache 2.2 httpd I have configured a named virtual host like https://example.com:4711 This virtual host contains 2 reverse proxies for the /i/ and /apex/ subdirectories used for Oracle Application Express. In addition to this there is a subdirectory named /docs for some static documents which are independent from Oracle APEX. Within the Apache virtual host configuration the /docs directory is password-protected using the directives "AuthType Basic" and "AuthName MyDir" inside a <Directory ...> section - this is working fine so far. However, when being authenticated for the /docs directory, the credentials are also sent when requesting /apex/ or /i/ URLS - thus disturbing the Oracle APEX Authentication (which uses cookies). Doing some monitoring with Wireshark (after switching off SSL temporarily) shows that the credentials for the "MyDir" realm are sent in the HTTP header not only for /docs but just for every directory. After clearing the "Active Logins" the APEX login works fine again. Tested with FF 60 ESR (as well as with old FF 45.9 ESR). Is there any means to prevent this behaviour, i.e. that users do not have to clear "Active Logins"? Any help will be greatly appreciated. Thanks in advance, Markus

Все ответы (1)

more options

Maybe create a bug report to get some feedback from the Firefox devs.