Multiple http auth details on the same site + chrome save password functionality, is there any way to handle this case?

Google Chrome seems to be saving passwords on a per site basis, but I'm developing a site where I'd like to have different http authentication details depending on the directory accessed AND have Chrome remember this.

That is to say, http://example.com/a and http://example.com/b have different http user/password combinations. I'd like Chrome to remember both, such that when I enter http://example.com/a I'm accessing with the corresponding user/password combo for /a, and likewise for /b. If I use the built in function to save passwords in Chrome, the browser saves both user/password combinations for http://example.com globally and doesn't remember which one to use depending on the address, instead defaulting to one of them for any address accessed on http://example.com

Is there any way around this, besides setting up different subdomains for each directory?

Mahn

Posted 2013-09-24T12:40:40.077

Reputation: 742

2Wow this is from 2013 and in version 57, 2017 this is still not fixed... And this is the browser that has nearly 60% market share? – Alain Pannetier – 2017-04-15T16:19:20.573

2@AlainPannetier yep, to this day I still haven't found a workaround, I just resort to using subdomains or inputting passwords manually every time. – Mahn – 2017-04-15T21:14:13.123

2lol. I've been moaning decades about closed source and now I have a problem with open source: I just want to clone and customise everything. Chromium is easy (albeit lengthy) to rebuild. But their developer have become so arrogant, as their market share increased, that I'm only using for development. And I just rolled back to 52 because opening the devtools in 57 just... crashed chrome. I might give it a try though. I'll let tou know. – Alain Pannetier – 2017-04-16T02:53:53.557

@AlainPannetier the thing with Chromium is that the code base is enormous, I get the feeling it would be easier to refactor the entire linux kernel than making an interface change there. I found it too daunting but maybe you have better luck than me there. – Mahn – 2017-04-16T17:16:49.020

Well, this has been working in Firefox ...till 3.0 - and then they've "fixed" it.

– Tomasz Pala – 2018-06-09T07:30:11.710

Why not use something like LastPass that does support multiple site logins consequently? – LPChip – 2018-08-09T15:01:06.900

1Do all paths specify the same HTTP authentication "realm", or are they separate? – user1686 – 2019-01-13T17:08:54.413

Answers

If you specify different realms for the different subfolders, Chrome will behave properly, for example this works just fine in nginx:

    location /gabinete-rivera {
        auth_basic "Hijos de Rivera";
        auth_basic_user_file /home/www/public/gabinete-rivera-app/.htpasswd;
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /gabinete-gases {
        auth_basic "Gases Fluorados";
        auth_basic_user_file /home/www/public/gabinete-gases-app/.htpasswd;
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$query_string;
    }

Marcos Besteiro López

Posted 2013-09-24T12:40:40.077

Reputation: 109

Build a simple chrome plugin that can use the form id or name and get the data (if it is just username and password) and store it each time you click submit. Storage can be an offline text file file with little or no encryption. Or somehow use some API for passwords.google.com and store it manually. That way chrome will get the passwords from your Google account. Alternative: Introduce a (vulnerability) JavaScript to website and send it to passwords.google.com to store it using an API if available.

user103720

Posted 2013-09-24T12:40:40.077

Reputation: 19

The question is about HTTP authentication, i.e. this: https://i.imgur.com/WsXRu7J.png. That cannot be hijacked with a plugin or javascript.

– Mahn – 2019-01-13T16:32:13.690