CEF Forum

I have problem when invalid username/pasword is provided to HTTP authorization. Tested in my application and also in cefclient cef_binary_90.4.3+gc48a797+chromium-90.0.4430.51_windows32_beta and cef_binary_88.2.4+gf3c4ca9+chromium-88.0.4324.150_windows32.
I think it used to work in past (haven't tested this for long time, so I'm not sure), but now the GetAuthCredentials() and http request is fired many times and it ends like this:

Page failed to load.
URL: https://jigsaw.w3.org/HTTP/Basic/
Error: UNKNOWN (-375)
ERR_TOO_MANY_RETRIES

It is easy to reproduce, just modify username in ClientHandler::GetAuthCredentials() and visit https://jigsaw.w3.org/HTTP/Basic/
I'm not sure if it is bug, or am I supposed to handle repetitive calls to to GetAuthCredentials() and avoid passing the same username/password?

What behavior are you expecting? You need to cancel the authorization if you don't want it to retry.

I was expecting that when invalid login/password is provided, text request with the same login/pass would be cancelled automatically, but when I think about that, it would not allow to retry with the same password.
How can I detect invalid password to avoid retrying? The username/password is provided to my application ahead, it has no visible UI so I cannot offer user to provide other password or cancel. Can I expect that with good password CEF won't call GetAuthCredentials() again? In that case I could cancel all requests except first one.

Can I expect that with good password CEF won't call GetAuthCredentials() again? In that case I could cancel all requests except first one.

For the same request, yes.

By same request do you mean origin_url, or realm? I'm not sure whether I need to keep list of origin_url or realms or just one global bool.

I would start with the (url, realm) pair and see how that works out.

did you find a solution for this? I have same problem, credential are passed through a different application. I have issue that if user provides wrong password then CEF tries the authentication multiple times. Afterwards the windows account is locked.

In my case browser is dedicated to one domain in it's lifespan, so in my authorization handler I send user/password only once, I'm cancelling other authorization requests because I suppose those are invoked because first authorization have failed.