13
4
I am accessing a web application using Chrome. If I sign out of the app and clear all Chrome history/cookies/etc (even Flash cookies which are now handled by Chrome in the same Clear History area) and then re-access the site, I am automatically logged in without being prompted for credentials.
I then launched Chrome in Incognito mode and was able to reproduce the same behavior. However, the I was prompted upon the first logon while in Incognito mode.
The web application behaves as expected in Internet Explorer 10.
Some info about the application:
- It's a Sharepoint site using NTLM authentication
- The credentials are Active Directory-based, as the username is domain\username
- My connection is over the Internet and there is no AD relationship between my local Windows account, my Windows PC. In other words I (meaning my locally logged on user and my PC) are not in any way part of their AD domain.
- The site is running SSL on port 443
Why might Chrome be automatically authenticating me?
I met the same issue. I think it's Chrome remembering NTLM credential until the window is closed, just like how Chrome (and other browsers) treats basic authentication. Note that this is different from the "save password" functionality, which pre-fills the pop up instead of preventing it.
– Franklin Yu – 2017-08-16T19:50:54.767I tried latest Firefox and it has the same issue, so it's not Chrome-only. – Franklin Yu – 2017-08-17T13:29:06.827
If its using AD then its likely not using basic http authentication. If you already authenticated your AD credentials thats likely the reason Chrome isn't asking you to autheitcate again. – Ramhound – 2013-10-24T15:10:48.920
@Ramhound - Good catch. I verified with F12 tools that it is using NTLM authentication. But in any case, how is the site remembering me if I am clearing all browser cookies? There still needs to be a session mechanism to determine that I am the same person as before. Also just to clarify, my only authentication is via the browser, eg I am not authenticating in any other way with their domain and there is no relationship between my machine and their domain. – Howiecamp – 2013-10-24T15:25:42.413
@Ramhound - Also don't forget that IE is prompting me again. – Howiecamp – 2013-10-24T15:33:33.990
Use Fiddler or Wireshark to see if it's doing automatic Kerberos/SPNEGO authentication with your login credentials (look for
www-authentication:
HTTP header, etc). It might be caching your login based on IP or something. This is really a problem you need to debug on the server side, but at least from the client side you will be able to see what kind of auth (if any) it's doing on a clean session, and what information (if any) your browser is sending to the remote site. – allquixotic – 2013-10-24T15:38:59.9171
It's a Sharepoint site using NTLM authentication
- The entire point of NTLM authentication is that you don't get prompted for authentiation. Your credentials are automatically passed. If you want to authenticate as a different user, restart your browser and run it as a different user. – Zoredache – 2013-10-24T18:32:34.200@Zoredache - Keep in mind this is not an intranet app and there is no NTLM/Kerberos communication between my workstation and the server. It's browser-only. Browsers, regardless of the authentication mechanism (NTLM, etc) need some means of maintaining state. My question is how is that state maintained? After I clear browser cookies, cache, etc there should be no means for the server to remmember who I am. – Howiecamp – 2013-10-26T21:36:38.660