Enancement: Saved tab state should include HTTP auth

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Apollo supporter
Apollo supporter
Posts: 36
Joined: 2016-01-27, 02:09

Enancement: Saved tab state should include HTTP auth

Unread post by jb_wisemo » 2021-12-03, 11:57

When something crashes Pale Moon, the next run offers to reload the state of all tabs. This is a nice feature, but has a limitation which I suggest to improve:

If any of those tabs accessed the page with HTTP(S) auth rather than cookie-based auth, the restored session does not include the auth data, and thus the user is prompted for entering credentials again.

The suggested enhancement is to include the HTTP auth data (appropriately encrypted) in the crash restore state, just like it may contain appropriately encrypted cookies, POST parameters etc.

This may be vaguely related to Bugzilla bug #789062, which is about that restore being done incorrectly in Fx 13.x

Analysis of the 7 thinks to think about (viewtopic.php?f=5&t=5647):

1. No this is not specific to a workflow, other than the general case of a browser crash when using the fundamental HTTP Auth browser feature.
2. This does not add any gadget or toy, it is merely to have an existing core feature work with another existing core feature.
3. This feature is culturally neutral as far as the two involved core feature are culturally neutral.
4. Websites using HTTP Auth may be rare these days, but do exist. That is the only aspect that might be considered "advanced usage"
5. I know of no extension or extension mechanism to add more state (especially state for core components such as HTTP) to the session restore file.
6. Yes, this improves overall quality as it removes a situation where users have to reenter their login after a browser crash.
7. This suggestion does not hinder access to any resource.

User avatar
Pale Moon guru
Pale Moon guru
Posts: 31915
Joined: 2011-08-28, 17:27
Location: Tranås, SE

Re: Enancement: Saved tab state should include HTTP auth

Unread post by Moonchild » 2021-12-03, 13:18

Sorry, but no.
Saved tab state should not include http auth credentials because there is no way to either (1) safely store this data and (2) by design this kind of authentication is scoped within a single session.

Compromising security for the convenience of recovery from a shutdown or crash is unacceptable. You can store credentials in the password manager for automatic logging in if you need to use auth for a certain site regularly -- this will have all the proper security measures to prevent credential theft and will allow swift authentication to http auth protected resources.
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra

Post Reply