Safari HTTP Basic Authentication "strange" at a minimum
Safari 4.0.2 (530.19.1) for Windows does not behave correctly with HTTP Basic Authentication. I have a web-based astronomy support system which requires username/password for
every access.
With all other browsers, on first access the U/P window appears, the user fills in their credentials, and thereafter all accesses by the browser to that domain:port are accompanied by the HTTP Authorization: Basic header with the encoded username/password.
With Safari, if the user does not check the box "remember my username/password", the browser sends every request first without the credentials, to which the server (properly) replies with a 401 status, to which the browser answers with another identical request for the same URL, except this time it does have the Authorization header. Thus, Safari generates twice the number of HTTP requests to the server for any page hosted by that server!
Now, if the user does check the box "remember my username/password" (I think this puts the U/P on the "keychain?), then Safari behaves like the other browsers, including the Authorization header (with the encoded U/P) on the first request for each page element.
Now, if the user does put the U/P on the keychain, another incorrect behavior appears. Normally, if the browser is exited and restarted, on the first request, the user sees the Username/Password dialog _at all times_, whether or not the U/P is remembered. The only difference is that, if it is remembered, the U/P appears pre-filled in the dialog. With Safari, however, upon restarting the browser immediately starts loading the page, without showing the username/password dialog! This means that one cannot log in with different credentials from the same browser by stopping and starting the browser.
I have done extensive racing of Safari's activity using an ethernet packet sniffer and an HTTP diagnostic proxy to verify that this is not my imagination.
One final quirk: After authenticating with Safari's HTTP Basic Auth username/password dialog, sometimes another completely different-looking username/password dialog appears. It is apparently coming from the Java Runtime, as it has a Java logo on it and has a unique appearance. I'm guessing it is in response to some Javascript running in the downloaded web content. And you have to re-enter your credentials into this one or risk problems loading the site. Early versions of Chrome used to have this but they fixed it.
What this boils down to is that we have to tell our customers to check the "remember" box, or risk problems with the site. This is unique to Safari. All other browsers (IE, Chrome, Chromium, Opera, Firefox) behave identically w.r.t HTTP Basic Authentication, and this (correct) behavior has been unchanged since the early days of the web.
With all other browsers, on first access the U/P window appears, the user fills in their credentials, and thereafter all accesses by the browser to that domain:port are accompanied by the HTTP Authorization: Basic header with the encoded username/password.
With Safari, if the user does not check the box "remember my username/password", the browser sends every request first without the credentials, to which the server (properly) replies with a 401 status, to which the browser answers with another identical request for the same URL, except this time it does have the Authorization header. Thus, Safari generates twice the number of HTTP requests to the server for any page hosted by that server!
Now, if the user does check the box "remember my username/password" (I think this puts the U/P on the "keychain?), then Safari behaves like the other browsers, including the Authorization header (with the encoded U/P) on the first request for each page element.
Now, if the user does put the U/P on the keychain, another incorrect behavior appears. Normally, if the browser is exited and restarted, on the first request, the user sees the Username/Password dialog _at all times_, whether or not the U/P is remembered. The only difference is that, if it is remembered, the U/P appears pre-filled in the dialog. With Safari, however, upon restarting the browser immediately starts loading the page, without showing the username/password dialog! This means that one cannot log in with different credentials from the same browser by stopping and starting the browser.
I have done extensive racing of Safari's activity using an ethernet packet sniffer and an HTTP diagnostic proxy to verify that this is not my imagination.
One final quirk: After authenticating with Safari's HTTP Basic Auth username/password dialog, sometimes another completely different-looking username/password dialog appears. It is apparently coming from the Java Runtime, as it has a Java logo on it and has a unique appearance. I'm guessing it is in response to some Javascript running in the downloaded web content. And you have to re-enter your credentials into this one or risk problems loading the site. Early versions of Chrome used to have this but they fixed it.
What this boils down to is that we have to tell our customers to check the "remember" box, or risk problems with the site. This is unique to Safari. All other browsers (IE, Chrome, Chromium, Opera, Firefox) behave identically w.r.t HTTP Basic Authentication, and this (correct) behavior has been unchanged since the early days of the web.
Windows XP Pro