Showing questions tagged: Show all questions
  • Archived

Firefox 76 doesn't always resend the POST request body after Kerberos authentication

I develop for an intranet application at work. It is based on ASP.NET Webforms. The production servers have IIS 7 with persistent authentication disabled (Persist-Auth: f… (read more)

I develop for an intranet application at work. It is based on ASP.NET Webforms. The production servers have IIS 7 with persistent authentication disabled (Persist-Auth: false), which means that the browser should re-authenticate on every request. For a POST request (full PostBack) with a large enough body, Firefox does not resend the request body anymore as of Firefox 76 (worked with previous versions). I have verified this in Fiddler. Other browsers do not have this issue. This breaks the website because the ViewState is not being sent.

Expected compliant behavior (Chrome does it like this):

  1. Browser sends the request (without authorization header)
  2. Server responds with 401
  3. Browser resends the same complete request, with authorization header
  4. Server responds with 200 + content

Incorrect behaviour in Firefox 76:

  1. Browser sends the request (without authorization header)
  2. Server responds with 401
  3. Browser resends the request with an empty body, with authorization header
  4. Server waits for the body but does not receive it, and the request gets cancelled after 2 minutes. Eventually, the browser displays a 401 Not Authorized error, but with Fiddler running I can see a 408 error with the text: "The request body did not contain the specified number of bytes. Got 0, expected xxx."

Just for fun, this is the non-compliant behavior in IE11 that actually works, unlike Firefox:

  1. Browser sends the request with the authorization header from the previous GET request
  2. Server responds with 200 + content

Asked by OronDF343 1 year ago

Last reply by Roland Tanglao 1 year ago