X
點擊此處開啟此網站的行動版。

技術支援討論區

Firefox sends credentials in HTTP header to Apache2 for any subdirectory

已張貼

Hello,

on an Apache 2.2 httpd I have configured a named virtual host like https://example.com:4711

This virtual host contains 2 reverse proxies for the /i/ and /apex/ subdirectories used for Oracle Application Express. In addition to this there is a subdirectory named /docs for some static documents which are independent from Oracle APEX.

Within the Apache virtual host configuration the /docs directory is password-protected using the directives "AuthType Basic" and "AuthName MyDir" inside a <Directory ...> section - this is working fine so far.

However, when being authenticated for the /docs directory, the credentials are also sent when requesting /apex/ or /i/ URLS - thus disturbing the Oracle APEX Authentication (which uses cookies). Doing some monitoring with Wireshark (after switching off SSL temporarily) shows that the credentials for the "MyDir" realm are sent in the HTTP header not only for /docs but just for every directory. After clearing the "Active Logins" the APEX login works fine again.

Tested with FF 60 ESR (as well as with old FF 45.9 ESR).

Is there any means to prevent this behaviour, i.e. that users do not have to clear "Active Logins"? Any help will be greatly appreciated.

Thanks in advance, Markus

Hello, on an Apache 2.2 httpd I have configured a named virtual host like https://example.com:4711 This virtual host contains 2 reverse proxies for the /i/ and /apex/ subdirectories used for Oracle Application Express. In addition to this there is a subdirectory named /docs for some static documents which are independent from Oracle APEX. Within the Apache virtual host configuration the /docs directory is password-protected using the directives "AuthType Basic" and "AuthName MyDir" inside a <Directory ...> section - this is working fine so far. However, when being authenticated for the /docs directory, the credentials are also sent when requesting /apex/ or /i/ URLS - thus disturbing the Oracle APEX Authentication (which uses cookies). Doing some monitoring with Wireshark (after switching off SSL temporarily) shows that the credentials for the "MyDir" realm are sent in the HTTP header not only for /docs but just for every directory. After clearing the "Active Logins" the APEX login works fine again. Tested with FF 60 ESR (as well as with old FF 45.9 ESR). Is there any means to prevent this behaviour, i.e. that users do not have to clear "Active Logins"? Any help will be greatly appreciated. Thanks in advance, Markus
引用

額外的系統細節

已安裝的外掛程式

  • The Adobe Reader plugin is used to enable viewing of PDF and FDF files from within the browser.
  • Next Generation Java Plug-in 11.141.2 for Mozilla browsers
  • nspluginwrapper is a cross-platform NPAPI plugin viewer, in particular for linux/i386 plugins.This beta software is available under the terms of the GNU General Public License.
  • Shockwave Flash 26.0 r0

應用程式

  • User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

更多資訊

cor-el
  • Top 10 Contributor
  • Moderator
17578 個解決方法 158993 個答案

Maybe create a bug report to get some feedback from the Firefox devs.

Maybe create a bug report to get some feedback from the Firefox devs. *https://bugzilla.mozilla.org/
這篇文章有幫助嗎?
引用
問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題