Testing HTTP Basic Authentication
A few weeks ago, a customer reported an issue with HTTP Basic Authentication when using our WonderSwitcher browser extension.
Sites that use Basic Auth normally show a browser prompt asking for a username and password. When connected to a proxy in the Switcher (in v4.6.4), the prompt never showed and the site returned a 401 Unauthorized error instead. Oops!
Fixing the Switcher bug
The problem was that the Switcher was trying to handle any and all browser requests for authentication. The Switcher uses Proxy-Authenticate to connect you to proxy servers, but WWW-Authenticate is how HTTP Basic Auth gets started, and the Switcher isn't designed to handle that. We modified the Switcher to ignore WWW-Authenticate, so now those Basic Auth requests bypass the Switcher completely (thanks Tom!).
Testing Basic Auth with httpbin
Once we had a fix in place, we needed a good way to test it. If you haven't used httpbin before, it's a simple web-based HTTP client. It provides a number of useful endpoints that make it a super handy tool for testing.
The endpoint for Basic Auth is /basic-auth/{user}/{passwd}. For example, if you go to http://httpbin.org/basic-auth/foo/bar you'll see a prompt and you can authenticate using the username foo and the password bar.
Once you authenticate successfully, you'll see some JSON that says "authenticated": true and shows the username you used.
Clearing Basic Auth credentials
Testing Basic Auth prompts can get a bit annoying. Browsers automatically remember your credentials and reuse them, which means the prompt will stop appearing once you've authenticated successfully (until the next time you close your browser). Basic Auth credentials aren't stored with other passwords in most browsers, so it's not immediately obvious where to find them or how to reset them.
If you're using httpbin, you can sidestep this problem by inventing new URLs for each test. But what if you want to confirm a specific page is working correctly? Quitting and reopening your browser between each test is a headache.
Luckily, there's a way to make browsers forget any HTTP Basic Auth credentials they've previously remembered.
Clear Basic Auth credentials in Chrome & Edge
(working as of Chrome 87.0 & Edge 87.0)
- Open Clear Browsing Data (
Ctrl+Shift+DelorCmd+Shift+Del) - Select Cookies and other site data
- Select Cached images and files
- Select a suitable time range (e.g. Last hour)
- Click Clear data
Clear Basic Auth credentials in Firefox
(working as of Firefox 84.0.2 — shout out to the folks on Super User for these instructions)
- Open Clear Recent History (
Ctrl+Shift+DelorCmd+Shift+Del) - Select Active Logins
- Select Cache
- Select a suitable time range (e.g. Last Hour)
- Click OK
Clear Basic Auth credentials in Safari
(working as of Safari 14.0)
- Go to Safari → Preferences
- Click on the Privacy tab
- Click Manage Website Data
- Search for the domain you're testing (e.g. httpbin.org)
- Click Remove
Voilà! When you visit your test page, you'll see the credential prompt again.
We hope you'll find these steps helpful! We're happy to say we've shipped our bug fix too, so you won't see this bug anymore in v4.6.5 of the Switcher.
