Bug 1320999 - Avoid double NTLM proxy auth prompt by not keeping nsHttpChannelAuthProvider::mProxyIdent when the sticky connection is threw away during NTLM WWW authentication prompt, r=jduell
authorHonza Bambas <honzab.moz@firemni.cz>
Tue, 29 Nov 2016 10:44:00 +0100
changeset 325288 eb6839ca47ea10a1ac0f241b896ea2d0ac01ce2d
parent 325287 f38852711f383117b245c47db466764cd0a0b8b8
child 325289 bbbe3c47bd0b88bd6f1b6ca39a1f8d68bd89f4e7
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewersjduell
bugs1320999
milestone53.0a1
Bug 1320999 - Avoid double NTLM proxy auth prompt by not keeping nsHttpChannelAuthProvider::mProxyIdent when the sticky connection is threw away during NTLM WWW authentication prompt, r=jduell
netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ -795,16 +795,29 @@ nsHttpChannelAuthProvider::GetCredential
 
     if (mConnectionBased && identityInvalid) {
         // If the flag is set and identity is invalid, it means we received the first
         // challange for a new negotiation round after negotiating a connection based
         // auth failed (invalid password).
         // The mConnectionBased flag is set later for the newly received challenge,
         // so here it reflects the previous 401/7 response schema.
         mAuthChannel->CloseStickyConnection();
+        if (!proxyAuth) {
+          // We must clear proxy ident in the following scenario + explanation:
+          // - we are authenticating to an NTLM proxy and an NTLM server
+          // - we successfully authenticated to the proxy, mProxyIdent keeps
+          //   the user name/domain and password, the identity has also been cached
+          // - we just threw away the connection because we are now asking for
+          //   creds for the server (WWW auth)
+          // - hence, we will have to auth to the proxy again as well
+          // - if we didn't clear the proxy identity, it would be considered
+          //   as non-valid and we would ask the user again ; clearing it forces
+          //   use of the cached identity and not asking the user again
+          mProxyIdent.Clear();
+        }
         mConnectionBased = false;
     }
 
     mConnectionBased = !!(authFlags & nsIHttpAuthenticator::CONNECTION_BASED);
 
     if (identityInvalid) {
         if (entry) {
             if (ident->Equals(entry->Identity())) {