After upgrading to Mac OS X Lion, Safari 5.1 appears to not behave correctly with HTTP basic access authentication and server page redirects. Safari 5.1 is prompting for the username and password again on pages protected by HTTP basic access authentication, but only if those pages are the result of the server sending a 301 or 302 header to redirect to that page. Previous versions of Safari, and all othe current web browsers, do not prompt for the password again. I have confirmed this problem on three separate Macs running Safari 5.1.
A sample workflow:
- In Safari 5.1, visit a web site with HTTP basic access authentication in place
HTTP basic access authentication can be configured on an Apache web server using directives such as "AuthType Basic" and "Require valid-user" either within the main server's configuration or inside a .htaccess file. It's typically used in conjunction with a .htpasswd file.
- Safari presents a sheet window asking for a username and password
This only appears if it's the first time visiting the site since opening Safari. Log in with the username and password, click "Log in," and the page loads.
- Click a link to a regular page on the site
The page loads. There's no re-entry of username and password required as expected.
- Click a link to a page that sends a 301 or 302 "moved" header to redirect the browser to another page
The sheet window appears in Safari asking for the username and password again.
This behavior is incorrect.
For reference, Safari's "AutoFill web forms" is checked in the Preferences window; however, I do not check the "Remember this password in my keychain" checkbox in the sheet window Safari produces to enter the username and password for HTTP basic access authentication.
Oddly, a lot of my day-to-day web development has this scenario which renders Safari 5.1 unusable at this time. I have been unable to find anyone else mentioning this issue.
Has anyone else also noticed this?