Intermittent Digest authentication failures with XMLHttpRequest

Not reproducible Issue #106577

Details

Created
Apr 27, 2014
Privacy
This issue is public.
Found in build #
0.0011
Reports
Reported by 0 people

Sign in to watch or report this issue.

Steps to reproduce

URL =

URL:

Repro Steps:

A javascript-enabled application runs from a site that uses digest authentication.

On accessing the site, the server (apache) issues a 401 and the standard pop-up/authentication succeeds.

Some time later, the user triggers js that:
Creates an XMLHttpRequest object
Initializes it for an async post
Sends data

As seen in a wireshark trace (and with IE script debugging):

Normally, IE sends the cached credentials as Authorization, and the onreadystatechange function reaches 4 (DONE).

Sometimes, the server sends a 401, IE never responds. onreadystatechange only reaches 1. Eventually, the server closes the connection with a 408 (timeout).

However, the XMLHttpRequest never completes. It should re-send the request with the new digest, transparently to the js. One might understand if it completed with a 401 status. It does neither.

It appears that this happens when the server times out the Digest, and sends a 401 response, including “stale=true” in the challenge.

Once in this state, repeating the request produces the same hang (and another incomplete XMLHttpRequest).

Refreshing the page and immediately re-submitting the request authenticates properly.

Firefox behaves correctly.

Expected Results:

XMLHttpRequest sends the Digest authenticator and completes.

Worst case, it reports an error status and completes.

Hanging forever is not expected (or acceptable).

Actual Results:

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Status to “Confirmed”

      Changed Assigned To to “IPBS P.”

      Changed Status from “Confirmed” to “Not reproducible”

      Changed Assigned To from “IPBS P.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Erik A.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in