How do I keep Firefox from prompting for username/password with HTTP Basic Auth with JQuery AJAX?

Asked 30/5, 2009 at 2:56 Answered 16/7, 2019 at 20:41

Solved javascript jquery firefox http-authentication

I'm writing some browser side dynamic functionality and using HTTP Basic Auth to protect some resources. The user experience is very important and is highly customized.

Here's a simple test JQuery method that eventually will test if a user has supplied the right credentials in a form:

$(document).ready(function() {
    $("#submit").click(function() {
    var token = Base64.encode($('#username').val() + ':' + $('#password').val());        
    $.ajax({
      url: '/private',
      method: 'GET',
      async: false,
      beforeSend: function(req) {
        req.setRequestHeader('Authorization', 'test:password');
      },
      error: function(request, textStatus, error) {
        if (request.status == 401) {
          alert('401');
        }
      }
    });
    return false;
  });
});

If they are not allowed to access /private, at the moment they should see just the alert box. However, on Firefox, a browser-provided login form pops up (to retry with new credentials). Safari does not do this.

We want to completely control the experience with custom forms, fades, transitions, etc. How can I keep Firefox's default box from being shown? (If this will be an issue when we test for IE, I'd love to hear solutions there, too.)

Estovers answered 30/5, 2009 at 2:56 Comment(1)

Note the follow-up at #929467 . – Counterproductive 30/5, 2009 at 4:49

In case you haven't read it:

How can I supress the browser's authentication dialog?

Doesn't look too promising :)

Moonlight answered 30/5, 2009 at 3:18 Comment(0)

The solution is to set the WWW-Authenticate header to something other than Basic. For example set it to:

WWW-Authenticate: None

WWW-Authenticate: FormBased

if you use form based login. Then the browser will not show you a login window.

Edwin answered 30/9, 2013 at 19:27 Comment(4)

As indicated in related question's answer comment. The WWW-Authenticate should indicates a one (or more) valid challenge. And I think too None isn't a real one. #1748874 – Hephzipa 8/10, 2014 at 11:34

Please look here for a solution on how to solve this with Java and Spring Security: #19080187 – Edwin 25/12, 2014 at 10:8

It is the solution, albeit looking irregular. ietf.org/rfc/rfc2617.txt (4.6) specifies multiple schemes, however does not restrict to Basic, Digest etc. So it's up to client (browser) to support a scheme or not, if scheme is not supported, the browser does no user interaction. I use this approach for transparent fallback from Windows SSO ( SPNEGO ) to a simple form login. BTW: only works reliably in Chrome+IE when accessing server via hostname; don't use IPs. – Monecious 27/7, 2016 at 9:20

@Monecious I don't know how you got a transparant fallback going, so I "fixed it" by creating an API endpoint "testGSS" which tries to evaluate as many parameters as possible from the client (which network, which browser, etc...) and when there is a high likelyhood Negotiate auth is going to work, sends a positive reply. The web app then tries Negotiate auth and when that succeeds, stores a flag in localStorage. Next time when the web app sees this flag it immediatly goes to the Negotiate auth endpoint, all other cases go to the form based method. – Offbeat 17/5, 2019 at 19:42

In case you haven't read it:

How can I supress the browser's authentication dialog?

Doesn't look too promising :)

Moonlight answered 30/5, 2009 at 3:18 Comment(0)

Unfortunatly, I am hitting the same issue here.

In my opinion, Browsers should not give a prompt for an xmlhttprequest. I really wish someone would push that cause people are really wanting to move to jQuery for their auth needs.

Well here is the help I can give you, I found this jQuery Digest thing, I have no idea what it really does or anything, but if someone could take this code the right way, we could have a jquery digest auth system.

https://www.openhub.net/p/digestj

I would think with this handy new AuthDigestDomain option, we could have the above script rewritten or whatever and have the secured area 'linked' together and we could get past this problem once and for all. Well... best of luck =)

Ludicrous answered 25/7, 2009 at 1:41 Comment(0)

I found somewhere a workaround of this authentication popup issue.

WWW-Authenticate: None

doesn't work for me, but I've added

'Authorization': 'Basic'

to the headers and it works like a charm.

Sexuality answered 16/7, 2019 at 20:41 Comment(0)

Recommended topics

Hot tags