Safari 3 Breaks HTTP Authentication
I've been meaning to write for some time now about my gripes over Safari's handling of HTTP Authentication when the login is cancelled, but it only affects a small number of browsers and is more of an annoyance than a serious problem.
Now that Safari 3 has been released however, it seems that rather than fixing the problem they've made things even worse by also breaking the 'log out' process resulting in sessions that never expire.
The issues of not being able to see the 'Login Failed' content and not being able to log out at all of Basic Authentication have been fixed in Safari 5.0.
Unfortunately, they have again broken HTTP Authentication in Safari 5.1 by forcing re-authentication after EVERY redirect (301 or 302) within a secure realm.
Safari 6 has fixed the forced login on redirect problem (above), but the logout option as been re-broken.
'Login Failed' content not displaying
In most browsers if you click 'Cancel' in the ugly grey authentication dialogue box, you will see the 'fallback' content - any HTML generated between the authentication headers and the end of the script.
A typical PHP example would look something like:
header("WWW-Authenticate: Basic realm=\"Private Area\"");
header("HTTP/1.0 401 Unauthorized");
... HTML content to appear when login is cancelled ...
In Safari (and apparently Omnikit as well) the HTML content is never displayed and instead the user just sees a blank screen. Now this is really annoying as a developer because what we normally display here (and it works in Explorer, Firefox, Mozilla, Opera and even Lynx) is a user-friendly message telling them what's happened, what they can do, who to contact, etc. Otherwise there's absolutely no way to inform the user what's going on.
I had assumed up to now that not displaying that content was a deliberate decision. A lot of developers don't realise this feature exists so don't bother to exit after the authentication fails which can result in content being displayed when it shouldn't be. But now that they've broken even more in this area I'm not so sure...
Can't log out in Safari
One of the gripes about HTTP Authentication - apart from the 'ugly grey box' - is that it's difficult to log someone out without having to close all windows and quit the browser. The most common solution is to use the fact that most browsers will clear the username/password values when an HTTP/1.0 401 Unauthorized header is encountered.
While this method works in Explorer, Firefox, Opera, Lynx and even Safari 2 (pre-Leopard), it's not there in Safari 3. That means that a website relying on HTTP Basic Authentication over SSL - one of the best available standards-based website authentication protocol - will not be able to provide a log out option or even to deactivate a session after a period of inactivity for Safari users.
Unlike my earlier gripe, this can not possibly be good for security as it means that, so long as Safari remains open, the Back button can be used to access secure content. The previouly used username and password are simply never forgotten.
Unfortunately there are very few options other than using a dynamic 'realm' or firing off a new authentication request with known invalid details, both of which are a bit messy.
The RFC (linked under references below) states that:
... user agents which cache credentials are encouraged to provide a readily accessible mechanism for discarding cached credentials under user control.
So how about it Safari?
Related Articles - Browser Bugs
- System Safari 5.1 Breaks Basic Authentication
- System Safari 3 Breaks HTTP Authentication