Infinite loop of popup HTTP Basic Auth windows created @ session restore

Kee browser extension
1

I’ve had this issue intermittently for quite a while (1+ years). I think it’s associated to when a Firefox session is restored, and a tab for a site with HTTP Basic Auth is revisited. Kee will start generating many popup windows with matching credentials, but it gets stuck in a loop such that I can never actually pick one and it just eventually crashes the browser if left to keep creating the popups.

Common things about when it happens:

  • Usually happens after a HTTP Basic Auth page was visited and left in background
  • Some time passes
  • Firefox crashes (for any reason) or just needs a session restore
  • Session Restore happens
  • Background tab with HTTP Basic Auth page gets re-activated and then a slew of Auth popups get generated
  • Often the only way to escape the loop is to kill firefox in task manager and abandon that session restore (as it seems to occur across multiple session restores once whatever triggers it occurs.)

Sites: My router’s config page(s) and Wyze (defang) webcam - both of which use HTTP Basic Auth. I’ve never seen it happen with anything other than HTTP Basic Auth pages.

System info:
Windows 10
Firefox (latest/various versions) currently v90.0 (64-bit)
Kee v3.9.5
KPRPC: v1.14
Keepass 2.48.1(64bit)

See this screenshot of the most recent incident. I blurred the background info to protect the privacy of the innocent…

kee bug - infinite number of prompt windows - 2021-07-16_122847
kee bug - infinite number of prompt windows - 2021-07-16_1228471079×1896 639 KB

I know that’s not a lot of info to go on, but I’d be happy to try collecting some debug or better info, just let me know what you need and how I can get you better detail to track this down.

2

I have been getting this too, but in my case, it happens when I have a tab open to my Transmission instance’s web interface (already authorized and open properly, I might add). I’ll lock my desktop, go away for several hours, and return only to find hundreds of these auth windows littering the screen — or else Firefox itself has crashed and when I reopen it, the restored session has the hundreds of auth windows in it.

3

I saw a mention of this as a drive-by comment in an unrelated GitHub issue a few years ago so it appears to affect at least 3 people now. I’m still not able to reproduce it but have given some further thought to what might cause it.

Firstly though, are you sure that it is necessary to abandon the session restore? I would expect that things would restore normally if you do so with no open database. Hopefully that will slightly reduce the severity of the issue until we can find out what is happening.

My best guess as to the cause is that Firefox is re-issuing the same request ID while we are still processing the earlier instance of that request. That sounds like a Firefox bug but perhaps could be expected either as part of session restore or due to the interference of other add-ons. Do you have any other extensions installed and can you reproduce the problem with only Kee enabled?

Maybe we could develop a workaround where we only create one window per request ID and/or automatically close any window that detects it is for the same ID. I won’t have time to implement that myself for a while but if someone wants to have a go at it and create a pull request on GitHub, I’ll help to get it incorporated into the next Kee release.

4

I thought I had a session restore on tap that I could do some testing with it, but the session restore somehow contains a list of ALL possible prompts that were already open (i.e. it’s restoring pre-existing popup prompts, instead of generating brand new prompt windows at restore time.) Unfortunately, this makes this current session restore basically useless for testing :frowning: I’ll have to hit the bug “naturally” some how to do any testing.

RE: First Thought - closing KP DB. I’m afraid this may not help b/c windows are hard-coded in the session restore. Will have to wait to hit issue again naturally.

RE: Other extensions: Yes, I have a number of other extensions, I’ll try disabling all except KP. I’ll do some more testing to see if I can determine a more exact cause of the issue.

5

I just had those popup loops twice in FF 90.0.2 (64bit). The webpage in question was the login to my Linux firewall which is using basic auth. I do not use session restore upon restart of FF. Those popups do appear without any reason during FF running in background or foreground.

I’ve successfully logged in to the firewall after the first popup appeared and I selected the appropriate item from the list.

After this I did several things on my PC and browser. I fired up a VM, switched to FF and surfed the firewall admin pages, returned to the VM and much more. The PC was locked and unlocked several times during this time. I did not notice that in the background all of those popups were created.

FWIW: I never had to re-enter the credentials to the firewall admin page again. I could work as expected on those admin website.

After a break I unlocked the Windows machine again and saw those infinte popups. It is hard to stop them from re-appearing again, because after removing FF, using the task manager, a restart opens all popups again.

This can be repeated several times until FF falls back into secure mode and disables all add-ons. If you don’t dare to restore the last sessions, which you shouldn’t of course :smirk:, you can run FF in normal mode again.

I’m using Keepass 2.48.1, latest available version. Keepass and its database is running from a networkshare. While I was logged off, The PC did not hiberate or similar. The network share and Keepass was available all the time.

FF add-ons: Enhancer for YouTube, First Party Isolation, Kee - Password Manager, Privacy Possum, Standard Notes Clipper, Switch Container, Tampermonkey, uBlock Origin, Vide DownloadHelper, Youtube Downloader