Clear the HTTP auth state when clearing cookies or cache.

Clear the HTTP auth state when clearing cookies or cache.

Thus, the user-facing behavior is now analogous to that of regular passwords, i.e.
  1. delete passwords form chrome://settings/clearBrowserData or chrome://settings/passwords so that the password is not filled on login
  2. delete cookies to actually log out

The small difference is that in the case of HTTP auth, user will be logged out even if they delete cache. This is because the auth state is deleted as part of the network history deletion, which is done when choosing cookies OR cache from chrome://settings/clearBrowserData. This is probably desirable.

Tested manually.

BUG=108291

[msramek, 2015-12-01 10:06:57]

msramek@chromium.org changed reviewers:
+ mmenke@chromium.org

[msramek, 2015-12-01 10:06:58]

Hi Matt,

can you please have a look at this?

Thanks,
Martin

[mmenke, 2015-12-01 15:59:48]

mmenke@chromium.org changed reviewers:
+ asanka@chromium.org

[mmenke, 2015-12-01 15:59:49]

[+asanka], who actually knows auth.

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:781: void
ProfileImplIOData::ClearNetworkingHistorySinceOnIOThread(
Hrm...Is this really part of the network history?  I notice we aren't clearing
the HTTP cache here, for instance, which has a clearer relationship to the
network history.

I certainly agree that we should probably auth data when we clear cookies.

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:791:
http_network_session_->http_auth_cache()->Clear();
I don't think it makes much sense to clear auth information without also
flushing the socket pools.  Otherwise, we may still have reusable connections
around that actually use that information.

[msramek, 2015-12-01 16:26:04]

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:781: void
ProfileImplIOData::ClearNetworkingHistorySinceOnIOThread(
On 2015/12/01 15:59:48, mmenke wrote:
> Hrm...Is this really part of the network history?  I notice we aren't clearing
> the HTTP cache here, for instance, which has a clearer relationship to the
> network history.
> 
> I certainly agree that we should probably auth data when we clear cookies.

The HTTP cache is deleted straight from BrowsingDataRemover (through
StoragePartitionHttpCacheDataRemover) when the user chooses to delete cache. I
assume that there two reasons why it isn't included here:
1. It's a several-step process jumping between the UI and IO thread, complicated
enough to deserve its own class.
2. This method is called even when user chooses cookies for deletion, and we
didn't want to delete cache in that case.

If you think this doesn't semantically fit here, we can perhaps extract this
part and call it directly from BrowsingDataRemover. It's just that this method
is called from (and only from) BrowsingDataRemover, so it seemed like the right
place. Well, or we can rename the method.

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:791:
http_network_session_->http_auth_cache()->Clear();
On 2015/12/01 15:59:48, mmenke wrote:
> I don't think it makes much sense to clear auth information without also
> flushing the socket pools.  Otherwise, we may still have reusable connections
> around that actually use that information.

Ok, I'll look into it! (I'm not very familiar with our network stack)

[asanka, 2015-12-01 17:51:10]

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:781: void
ProfileImplIOData::ClearNetworkingHistorySinceOnIOThread(
Putting this in ClearNetworkHistorySinceOnIOThread() means that HttpAuthCache
will be cleared if any option is selected in the "Clear browsing data" dialog
(even when the user is just trying to clear downloads history). Although that's
probably symptomatic of another problem.

Each time this has come up, the user expectation is that the HTTP auth cache
would be cleared when the "Passwords" option is selected on the "Clear browsing
data" dialog. This makes sense since the HttpAuthCache currently stores
passwords.

As far as the network stack goes, it makes sense also clear the auth cache if
the user chooses 'Cookies and other site and plugin data'. This option maps to
REMOVE_SITE_DATA | REMOVE_CACHE which includes REMOVE_COOKIES but not
REMOVE_PASSWORDS.

Overall, I think either REMOVE_COOKIES and REMOVE_PASSWORDS should imply
clearing of HttpAuthCache for the prescribed time window. And clearing the
HttpAuthCache should imply flushing the socket pools since connection based auth
schemes might used an authenticated connection (as mmenke pointed out). WDYT?

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:791:
http_network_session_->http_auth_cache()->Clear();
Also, this is meant to delete state since |time|. HttpAuthCache already keeps
creation timestamps around for cache entries which we should use to only remove
entries that were created after |time|.

[mmenke, 2015-12-01 17:59:32]

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/1484143003/diff/1/chrome/browser/profiles/pro...
chrome/browser/profiles/profile_impl_io_data.cc:781: void
ProfileImplIOData::ClearNetworkingHistorySinceOnIOThread(
On 2015/12/01 17:51:10, asanka wrote:
> Putting this in ClearNetworkHistorySinceOnIOThread() means that HttpAuthCache
> will be cleared if any option is selected in the "Clear browsing data" dialog
> (even when the user is just trying to clear downloads history). Although
that's
> probably symptomatic of another problem.
> 
> Each time this has come up, the user expectation is that the HTTP auth cache
> would be cleared when the "Passwords" option is selected on the "Clear
browsing
> data" dialog. This makes sense since the HttpAuthCache currently stores
> passwords.
> 
> As far as the network stack goes, it makes sense also clear the auth cache if
> the user chooses 'Cookies and other site and plugin data'. This option maps to
> REMOVE_SITE_DATA | REMOVE_CACHE which includes REMOVE_COOKIES but not
> REMOVE_PASSWORDS.
> 
> Overall, I think either REMOVE_COOKIES and REMOVE_PASSWORDS should imply
> clearing of HttpAuthCache for the prescribed time window. And clearing the
> HttpAuthCache should imply flushing the socket pools since connection based
auth
> schemes might used an authenticated connection (as mmenke pointed out). WDYT?

That sounds reasonable to me, at least.

[mmenke, 2016-01-12 16:43:35]

Description was changed from

==========
Clear the HTTP auth state when clearing cookies or cache.

Thus, the user-facing behavior is now analogous to that of regular passwords,
i.e.
  1. delete passwords form chrome://settings/clearBrowserData or
chrome://settings/passwords so that the password is not filled on login
  2. delete cookies to actually log out

The small difference is that in the case of HTTP auth, user will be logged out
even if they delete cache. This is because the auth state is deleted as part of
the network history deletion, which is done when choosing cookies OR cache from
chrome://settings/clearBrowserData. This is probably desirable.

Tested manually.

BUG=108291
==========

to

==========
Clear the HTTP auth state when clearing cookies or cache.

Thus, the user-facing behavior is now analogous to that of regular passwords,
i.e.
  1. delete passwords form chrome://settings/clearBrowserData or
chrome://settings/passwords so that the password is not filled on login
  2. delete cookies to actually log out

The small difference is that in the case of HTTP auth, user will be logged out
even if they delete cache. This is because the auth state is deleted as part of
the network history deletion, which is done when choosing cookies OR cache from
chrome://settings/clearBrowserData. This is probably desirable.

Tested manually.

BUG=108291
==========

[mmenke, 2016-01-12 16:43:35]

mmenke@chromium.org changed reviewers:
- mmenke@chromium.org

[msramek, 2016-07-12 16:08:02]

Closing this in favor of https://codereview.chromium.org/2097043002/.