Uploaded image for project: 'Lucee Development'
  1. LDEV-95

CFHTTP doesn't send username and password attributes as Basic Authentication header over SSL

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.5.1.000
    • Fix Version/s: 5.2.8.34
    • Labels:
    • Sprint:
      May 2018 Sprint

      Description

      Specifying username and password attributes in cfhttp should result in a Basic Authorization header being sent (using the default authType and preAuth attribute values).

      When the URL is standard http over port 80, this happens, but with an SSL URL over 443 the Authorization header is not automatically sent.

      ACF sends the Auth header regardless of SSL.

      Steps to reproduce

      1. Make a .cfm file containing <cfdump var="#GetHttpRequestData()#"> available at an HTTPS URL.
      2. Call the URL over HTTPS using

      http method="get" url="[HTTPS URL]" result="result" username="u" password="p"{};
      echo( result.filecontent );
      

      3. Check for an "Authorization" header in the output.

      Workaround

      Sending the Authorization header manually in Lucee using cfhttpparam works:

      httpparam type="header" name="Authorization" value="Basic #ToBase64( 'username:password' )#";
      

      Previously raised against Railo 4.2.1.008 https://issues.jboss.org/browse/RAILO-3315

        Attachments

          Activity

            People

            • Assignee:
              21solutions Igal Sapir
              Reporter:
              julianhalliwell Julian Halliwell
            • Votes:
              8 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: