tuupola/app.rb

## app.rb
# Run the app (ruby app.rb or shotgun app.rb)
#
# Open the page. Login with test and test. Reload a few times. Page loads fine. Then
# click the link which make 302 redirect back to original page. Now when you reload it asks for
# username and password again. If you check the logs you can see credentials are now broken.
# Also tcpdump shows Authorization header is broken.
#
# Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4)
# Webkit Nightly 5.0.3 (6533.19.4, r80833)

require "rubygems"
require "sinatra"
require "pp"

before do
  require_login!
end

get "/" do
  redirect "/foos"
end

get "/foos" do
  haml :foos
end

get "/foos/:id" do
  redirect "/foos"
end

def require_login!
  unless authorized?
    response["WWW-Authenticate"] = %(Basic realm="Protected")
    throw(:halt, [401, "Not authorized\n"])
  end
end

def authorized?
  @auth ||=  Rack::Auth::Basic::Request.new(request.env)
  if @auth.provided?
    pp @auth.credentials
  else
    pp "Not provided."
  end
  @auth.provided? && @auth.basic? && @auth.credentials && @auth.credentials == ["test", "test"]
end


__END__

@@ layout
%html
  = yield

@@ foos
%a{:href => "/foos/666"} Make a GET request which redirects back to this page.

## shotgun.log
== Shotgun/Mongrel on http://127.0.0.1:9393/
"Not provided."
127.0.0.1 - - [19/Mar/2011 22:08:27] "GET / HTTP/1.1" 401 15 0.0091
["test", "test"]
127.0.0.1 - - [19/Mar/2011 22:08:33] "GET / HTTP/1.1" 302 - 0.0083
"Not provided."
127.0.0.1 - - [19/Mar/2011 22:08:33] "GET /foos HTTP/1.1" 401 15 0.0081
["test", "test"]
127.0.0.1 - - [19/Mar/2011 22:08:35] "GET /foos HTTP/1.1" 200 95 0.2404
["test", "test"]
127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos/666 HTTP/1.1" 302 - 0.0085
["test", "test"]
127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos HTTP/1.1" 200 95 0.2387
["test", "test\005\253\"q\321\225\315\320\351\321\225\315"]
127.0.0.1 - - [19/Mar/2011 22:08:37] "GET /foos HTTP/1.1" 401 15 0.0082

## tcpdump.txt
> sudo tcpdump -s 0 -A -ni lo0 port 4567


** Login for the first time **

GET /foos HTTP/1.1
Host: 192.168.1.67:4567
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Authorization: Basic dGVzdDp0ZXN0
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://192.168.1.67:4567/foos
Connection: keep-alive


** Click a link which redirect back to same page **

GET /foos/666 HTTP/1.1
Host: 192.168.1.67:4567
Authorization: Basic dGVzdDp0ZXN0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://192.168.1.67:4567/foos
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 302 Moved Temporarily
Location: http://192.168.1.67:4567/foos
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: keep-alive
Server: thin 1.2.7 codename No Hup

GET /foos HTTP/1.1
Host: 192.168.1.67:4567
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Authorization: Basic dGVzdDp0ZXN0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://192.168.1.67:4567/foos
Connection: keep-alive


** Click reload and authorization header in request is broken. **

GET /foos HTTP/1.1
Host: 192.168.1.67:4567
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://192.168.1.67:4567/foos
Connection: keep-alive

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Protected"
Content-Type: text/html;charset=utf-8
Content-Length: 15
Connection: keep-alive
Server: thin 1.2.7 codename No Hup

## thin.log
>> Thin web server (v1.2.7 codename No Hup)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:4567, CTRL+C to stop
"Not provided."
192.168.1.67 - - [19/Mar/2011 22:06:36] "GET /foos HTTP/1.1" 401 15 0.0006
["test", "test"]
192.168.1.67 - - [19/Mar/2011 22:06:40] "GET /foos HTTP/1.1" 200 95 0.0023
["test", "test"]
192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos/666 HTTP/1.1" 302 - 0.0008
["test", "test"]
192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos HTTP/1.1" 200 95 0.0023
["test", "test\005\253\"q\321\225\315\320\351\321\225\315"]
192.168.1.67 - - [19/Mar/2011 22:06:43] "GET /foos HTTP/1.1" 401 15 0.0009
	# Run the app (ruby app.rb or shotgun app.rb)
	#
	# Open the page. Login with test and test. Reload a few times. Page loads fine. Then
	# click the link which make 302 redirect back to original page. Now when you reload it asks for
	# username and password again. If you check the logs you can see credentials are now broken.
	# Also tcpdump shows Authorization header is broken.
	#
	# Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4)
	# Webkit Nightly 5.0.3 (6533.19.4, r80833)

	require "rubygems"
	require "sinatra"
	require "pp"

	before do
	require_login!
	end

	get "/" do
	redirect "/foos"
	end

	get "/foos" do
	haml :foos
	end

	get "/foos/:id" do
	redirect "/foos"
	end

	def require_login!
	unless authorized?
	response["WWW-Authenticate"] = %(Basic realm="Protected")
	throw(:halt, [401, "Not authorized\n"])
	end
	end

	def authorized?
	@auth \|\|= Rack::Auth::Basic::Request.new(request.env)
	if @auth.provided?
	pp @auth.credentials
	else
	pp "Not provided."
	end
	@auth.provided? && @auth.basic? && @auth.credentials && @auth.credentials == ["test", "test"]
	end


	__END__

	@@ layout
	%html
	= yield

	@@ foos
	%a{:href => "/foos/666"} Make a GET request which redirects back to this page.
	== Shotgun/Mongrel on http://127.0.0.1:9393/
	"Not provided."
	127.0.0.1 - - [19/Mar/2011 22:08:27] "GET / HTTP/1.1" 401 15 0.0091
	["test", "test"]
	127.0.0.1 - - [19/Mar/2011 22:08:33] "GET / HTTP/1.1" 302 - 0.0083
	"Not provided."
	127.0.0.1 - - [19/Mar/2011 22:08:33] "GET /foos HTTP/1.1" 401 15 0.0081
	["test", "test"]
	127.0.0.1 - - [19/Mar/2011 22:08:35] "GET /foos HTTP/1.1" 200 95 0.2404
	["test", "test"]
	127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos/666 HTTP/1.1" 302 - 0.0085
	["test", "test"]
	127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos HTTP/1.1" 200 95 0.2387
	["test", "test\005\253\"q\321\225\315\320\351\321\225\315"]
	127.0.0.1 - - [19/Mar/2011 22:08:37] "GET /foos HTTP/1.1" 401 15 0.0082
	> sudo tcpdump -s 0 -A -ni lo0 port 4567


	Login for the first time

	GET /foos HTTP/1.1
	Host: 192.168.1.67:4567
	Accept-Encoding: gzip, deflate
	Accept-Language: en-us
	Authorization: Basic dGVzdDp0ZXN0
	Cache-Control: max-age=0
	User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
	Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
	Referer: http://192.168.1.67:4567/foos
	Connection: keep-alive


	Click a link which redirect back to same page

	GET /foos/666 HTTP/1.1
	Host: 192.168.1.67:4567
	Authorization: Basic dGVzdDp0ZXN0
	User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
	Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
	Referer: http://192.168.1.67:4567/foos
	Accept-Language: en-us
	Accept-Encoding: gzip, deflate
	Connection: keep-alive

	HTTP/1.1 302 Moved Temporarily
	Location: http://192.168.1.67:4567/foos
	Content-Type: text/html;charset=utf-8
	Content-Length: 0
	Connection: keep-alive
	Server: thin 1.2.7 codename No Hup

	GET /foos HTTP/1.1
	Host: 192.168.1.67:4567
	Accept-Encoding: gzip, deflate
	Accept-Language: en-us
	Authorization: Basic dGVzdDp0ZXN0
	User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
	Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
	Referer: http://192.168.1.67:4567/foos
	Connection: keep-alive


	Click reload and authorization header in request is broken.

	GET /foos HTTP/1.1
	Host: 192.168.1.67:4567
	Accept-Encoding: gzip, deflate
	Accept-Language: en-us
	Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0
	Cache-Control: max-age=0
	User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
	Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
	Referer: http://192.168.1.67:4567/foos
	Connection: keep-alive

	HTTP/1.1 401 Unauthorized
	WWW-Authenticate: Basic realm="Protected"
	Content-Type: text/html;charset=utf-8
	Content-Length: 15
	Connection: keep-alive
	Server: thin 1.2.7 codename No Hup
	>> Thin web server (v1.2.7 codename No Hup)
	>> Maximum connections set to 1024
	>> Listening on 0.0.0.0:4567, CTRL+C to stop
	"Not provided."
	192.168.1.67 - - [19/Mar/2011 22:06:36] "GET /foos HTTP/1.1" 401 15 0.0006
	["test", "test"]
	192.168.1.67 - - [19/Mar/2011 22:06:40] "GET /foos HTTP/1.1" 200 95 0.0023
	["test", "test"]
	192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos/666 HTTP/1.1" 302 - 0.0008
	["test", "test"]
	192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos HTTP/1.1" 200 95 0.0023
	["test", "test\005\253\"q\321\225\315\320\351\321\225\315"]
	192.168.1.67 - - [19/Mar/2011 22:06:43] "GET /foos HTTP/1.1" 401 15 0.0009