Safari 5.1 and HTTP basic access authentication not working

The issue I just posted seems to be related to the problem you describe:

https://discussions.apple.com/thread/3772253?start=0&tstart=0

I was able to reproduce an issue using the HTML 5 audio tag and the drupal_goto method in Drupal. In both cases, in Safari 5.0.5 and Safari 5.1.2, in the apache logs, the initial requests to the page include the authenticated user, but the request to download the audio file or the request to go to a new page somehow did not send the authentication information because the request in the log doesn't include anything.

So for example, I am authenticated by apache and submit a form. The page processes the form then uses drupal_goto to redierct to another page. From Chrome, the following appears in the apache log:

::1 - tom [02/Feb/2012:17:23:46 -0500] "POST /drupal/node/6?q=node/6 HTTP/1.1" 302 502

::1 - tom [02/Feb/2012:17:23:46 -0500] "GET /drupal/node/8 HTTP/1.1" 200 3019

When I do the same thing in Safari:

::1 - tom [02/Feb/2012:17:25:50 -0500] "POST /drupal/node/6?q=node/6 HTTP/1.1" 302 502

::1 - - [02/Feb/2012:17:25:50 -0500] "GET /drupal/node/8 HTTP/1.1" 401 401

::1 - tom [02/Feb/2012:17:25:55 -0500] "GET /drupal/node/8 HTTP/1.1" 200 3019

The request after the goto doesn't include authentication information - and I have to put in my username and password.

This is an annoyance in the case of redirection - having to reauthenticate every time - but in the case of HTML 5 audio it is fatal. The audio file specified in the source tag simply does not load.

Looks like it's fixed in Safari 6. Finally.

Nope. Not fixed in Safari 6. It is very anoying to have to keep logging in twice.

Weird, it's most definitely working for me now. Tested on three different computers (Lion and Mountain Lion): the webpage login details are not in Keychain and on basic 301, 302, 303 and 307 redirects the "Authorization:Basic" is included in the redirected HTTP header as expected, so I am not getting a second login prompt. That was not happening before Safari 6.

I have a FileMaker developer for my company and this bug is affecting all of my FileMaker users. Users are now being required to repeatedly authenticate for tasks that previously required no authentication (because it was stored in the computers' keychain).

I am also having this problem. Extremely frustrating! Introduced with an upgrade to Mountain Lion. Will this ever be fixed?

Installed Safari 6.0.4 today and the problem is *still* there. Works as expected in FF and Chrome. Does anyone know of a workaround that doesn't require moving the video to an unprotected directory?

-Terry

Happy to see that it's not my code is not the cause of the problem.

One possibility to escape to this bug under Safari, might be to generate a time-limited link, and this only if the user it is authenticated on the page. I'm using PHP, so I should be able to obtain a fix with "PHP_AUTH_USER" or similar.

I'm not really expecting that Apple will correct it...

CU.

Filemaker 12.05, Mavericks, this still exists! Has anyone heard any news on this, or are both companies silent on the matter?

i can confirm this bug on safari 6.1. also a lot of customer complaints, different versions. have to switch our web app's auth mechanism. I don't expect apple to fix this as it seems to exist since some years!!

Has there been any update on this? I just begrudgingly updated to Lion from SL and am having this problem with all of our joomla sites. We have the admin directories for all of our client's joomla sites protected via htaccess. Now whenever I try to work in the admin section of one of these sites I am constantly asked for the htaccess login info as I perform various tasks in the back end. That makes Safari absolutely unusable.

I've seen a few suggestions in this thread, but no one has confirmed that any of them work.

Had the same problem with Safari asking me over again for authentication after login to my website.

In my case the problem was caused by a jquery-plugin from the javascript folder (/js/flexslider.js).

The wollowing steps made it working for me:

First I added "satisfy all" and "options -Indexes" to the .htaccess in my "restricted_subdirectory":

AuthType Basic

AuthName "Restricted Area"

AuthUserFile /home/mysite.com/restricted_subdirectory/.htpasswd

AuthGroupFile /dev/null

require valid-user

satisfy all

Options -Indexes

Then I added a .htaccess file to every subdirectory ( /js /images /css - every folder that's related to the script) with only
satisfy any

I'm not sure this is a proper solution but that made it working for my simple needs. Maybe it works for some of you guys as well. .

I have the same problem on Yosemite and Safari 8.0.

Internal web application with HTTP authentication, keeps asking for password (which is saved in keychain) almost all the time...

So frustrating.

Just to correct myself, application is on IIS and with Windows integrated authentication.

It works normal with Chrome, but with Safari it keep asking for password on almost every request.