skip to content

Safari 5.1 Breaks Basic Authentication

You may or may not be aware that HTTP Authentication was slightly broken in Safari from version 3 to 4.x. When those issues where fixed in 5.0 it looked like they had finally got it right. Unfortunately a new bug was introduced in Safari 5.1 that makes the situation worse even than before.

Safari 6.0 (July 2012) finally fixes this problem with HTTP Basic Authentication - ending (we can hope) a ridiculous situation. Unfortunately at the same time they've managed to break (yet again) the logout option!

Increased security

What seems that have happened is that they have tried to increase security by making it more difficult to stay logged in to an HTTP Authentication realm. Previously you would stay logged in as long as the browser was open (and previous to Safari 5.0 it was impossible to log someone out using HTTP 401 headers).

Now after a period of inactivity you are automatically de-authenticated and have to reenter your Username and Password. So far so good.

So what's the problem?

The problem is that once you enter a secure section of a website (an administration zone for example), any redirect (301 or 302) to another secure page results in a new login prompt. So in PHP any header command using Location: to redirect to another, or even the same, page logs you out. Redirecting to a non-secure page does not log you out.

This makes any pages/forms that use the best practice "Redirect After Post" or PRG (Post/Redirect/Get) completely unusable unless you allow the browser to store your login details. Having the browser store your details or course means that anyone with access to your computer has your password.

HTTP or Basic Access Authentication was originally defined in 1996. It hasn't changed much since then. It's unbelievable that Safari has been unable to implement it properly, apart from a brief time with Safari 5.0, since breaking it in Safari 3.0.

Why use HTTP authentication?

While many people avoid it because either they (a) don't understand it; or (b) don't like the 'ugly grey prompt box', it remains incredibly simple and useful both for websites and for various devices. Especially when combined with SSL encryption. There is no need to place a login form anywhere as linking to any secured page generates the login prompt.

All the alternative solutions involve huge amounts of extra programming, cookies, redirects and databases and are often less security than Basic Access Authentication which is built into every single browser, even text browsers such as Lynx and W3M. The only more secure solution I'm aware of is OAuth, such as used by Twitter for authorising third-party apps.

Hopefully we don't have to wait another 2 versions for this stupid problem to be fixed!


< System

Post your comment or question