On Mon, Apr 11, 2016 at 10:04 AM, Süleyman Kuran <skuran@ayk.gov.tr> wrote:
[root@localhost ~]# curl -v -k https://localhost/ ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 06:59:39 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < WWW-Authenticate: Basic realm="Auth required" < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And the output to the second curl command is as follows:
[root@localhost ~]# curl -v -k https://localhost/ -u bad_user:bad_pwd ... < HTTP/1.1 401 Unauthorized < Date: Mon, 11 Apr 2016 07:02:10 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 ... And I am not so sure, this is a browser problem.
No, it's not a browser problem, as you can see the server does not send 'WWW-Authenticate: Basic' header when trying wrong credentials (chrome probably just remembers). Quote from RFC 2617: "If the origin server does not wish to accept the credentials sent with a request, it SHOULD return a 401 (Unauthorized) response. The response MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource." I'll try to take a look at the code.