skip to content

Safari 3 Breaks HTTP Authentication

I've been meaning to write for some time now about my gripes over Safari's handling of HTTP Authentication when the login is cancelled, but it only affects a small number of browsers and is more of an annoyance than a serious problem.

Now that Safari 3 has been released however, it seems that rather than fixing the problem they've made things even worse by also breaking the 'log out' process resulting in sessions that never expire.

The issues of not being able to see the 'Login Failed' content and not being able to log out at all of Basic Authentication have been fixed in Safari 5.0.

Unfortunately, they have again broken HTTP Authentication in Safari 5.1 by forcing re-authentication after EVERY redirect (301 or 302) within a secure realm.

Safari 6 has fixed the forced login on redirect problem (above), but the logout option as been re-broken.

'Login Failed' content not displaying

In most browsers if you click 'Cancel' in the ugly grey authentication dialogue box, you will see the 'fallback' content - any HTML generated between the authentication headers and the end of the script.

A typical PHP example would look something like:

<?PHP function login() { header("WWW-Authenticate: Basic realm=\"Private Area\""); header("HTTP/1.0 401 Unauthorized"); ... HTML content to appear when login is cancelled ... exit; } ?>

In Safari (and apparently Omnikit as well) the HTML content is never displayed and instead the user just sees a blank screen. Now this is really annoying as a developer because what we normally display here (and it works in Explorer, Firefox, Mozilla, Opera and even Lynx) is a user-friendly message telling them what's happened, what they can do, who to contact, etc. Otherwise there's absolutely no way to inform the user what's going on.

I had assumed up to now that not displaying that content was a deliberate decision. A lot of developers don't realise this feature exists so don't bother to exit after the authentication fails which can result in content being displayed when it shouldn't be. But now that they've broken even more in this area I'm not so sure...

Can't log out in Safari

One of the gripes about HTTP Authentication - apart from the 'ugly grey box' - is that it's difficult to log someone out without having to close all windows and quit the browser. The most common solution is to use the fact that most browsers will clear the username/password values when an HTTP/1.0 401 Unauthorized header is encountered.

While this method works in Explorer, Firefox, Opera, Lynx and even Safari 2 (pre-Leopard), it's not there in Safari 3. That means that a website relying on HTTP Basic Authentication over SSL - one of the best available standards-based website authentication protocol - will not be able to provide a log out option or even to deactivate a session after a period of inactivity for Safari users.

Unlike my earlier gripe, this can not possibly be good for security as it means that, so long as Safari remains open, the Back button can be used to access secure content. The previouly used username and password are simply never forgotten.

Unfortunately there are very few options other than using a dynamic 'realm' or firing off a new authentication request with known invalid details, both of which are a bit messy.

The RFC (linked under references below) states that:

... user agents which cache credentials are encouraged to provide a readily accessible mechanism for discarding cached credentials under user control.

So how about it Safari?


< System

User Comments

Post your comment or question

9 February, 2013

I have the same problem. Can't log out of safari. Also all th log out functions are missing on every web page. Heck I can't even turn off the ipad since upgrading to safari 5and iOS6 WTF is wrong.

27 September, 2011

Have you figured this out ? It seems that there's still the problem with safari 5.1, and iPad version.. If you've found a solution, i would be pleased to know it, i have the sad constraint to work with HTTP Diget Auth.

6 March, 2009

It seems that the problem is only with Safari 3 on windows and on Leopard (10.5), but not on Tiger (10.4).

1 April, 2008

Try the "Reset Safari" menu option (File menu for Windows, Safari menu for Mac OS X) - this allows you to erase all such 'privacy' information.

I really don't think it's a realistic solution telling users that they have to Reset Safari when they want to log out. Quitting and restarting Safari will also wipe the HTTP Authentication details, but every other browser on the market lets you log someone out by simply sending a 401 Unauthorized HTTP Header...