Page 1 of 1

Enancement: Saved tab state should include HTTP auth

Posted: 2021-12-03, 11:57
by jb_wisemo
When something crashes Pale Moon, the next run offers to reload the state of all tabs. This is a nice feature, but has a limitation which I suggest to improve:

If any of those tabs accessed the page with HTTP(S) auth rather than cookie-based auth, the restored session does not include the auth data, and thus the user is prompted for entering credentials again.

The suggested enhancement is to include the HTTP auth data (appropriately encrypted) in the crash restore state, just like it may contain appropriately encrypted cookies, POST parameters etc.

This may be vaguely related to Bugzilla bug #789062, which is about that restore being done incorrectly in Fx 13.x

Analysis of the 7 thinks to think about (viewtopic.php?f=5&t=5647):

1. No this is not specific to a workflow, other than the general case of a browser crash when using the fundamental HTTP Auth browser feature.
2. This does not add any gadget or toy, it is merely to have an existing core feature work with another existing core feature.
3. This feature is culturally neutral as far as the two involved core feature are culturally neutral.
4. Websites using HTTP Auth may be rare these days, but do exist. That is the only aspect that might be considered "advanced usage"
5. I know of no extension or extension mechanism to add more state (especially state for core components such as HTTP) to the session restore file.
6. Yes, this improves overall quality as it removes a situation where users have to reenter their login after a browser crash.
7. This suggestion does not hinder access to any resource.

Re: Enancement: Saved tab state should include HTTP auth

Posted: 2021-12-03, 13:18
by Moonchild
Sorry, but no.
Saved tab state should not include http auth credentials because there is no way to either (1) safely store this data and (2) by design this kind of authentication is scoped within a single session.

Compromising security for the convenience of recovery from a shutdown or crash is unacceptable. You can store credentials in the password manager for automatic logging in if you need to use auth for a certain site regularly -- this will have all the proper security measures to prevent credential theft and will allow swift authentication to http auth protected resources.