Closed Bug 109888 Opened 24 years ago Closed 24 years ago

login doesn't work properly (Expires: 1970-01-01 00:00)

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: a_geek, Assigned: morse)

References

(
URL
)

Details

Hi, there is a program, keystone, that uses cookies to log the user in. This program has a login page where the user enters her username and password which, when loaded, also sets a cookie of "keycookie" value: "deleted", expiry until 1970-01-01 00:00. When submitted, the program decodes the cookie for a user name and tries to get that from the data base. Unfortunately, mozilla sends the cookie with the values mentioned above instead of deleting any cookie with that name in it's cookie store, and send no cookie instead. So the program gets the wrong cookie where it can't find a user name from, and login to the program fails. Netscape and other programs handle this cookie correctly and don't send it back to the server, so login succeeds. I see this problem with Mozilla 0.9.5 (fwiw). (How do you log out of a cookie-based application if this doesn't work, anyway?) Best, --Toni++
*** Bug 109889 has been marked as a duplicate of this bug. ***
Setting of cookie with value "deleted" will do just that. It will not delete a cookie. Where did you hear/read that this should delete cookies? The correct way to delete acookie is to set it to a null value. I'm confused by the example you sited in this report (http://www.stonekeep.com). That site doesn't appear to be setting any cookies nor does it present a login form. I'm also confused by the statement "Netscape and other programs handle this cookie correctly." There is no code in any of the Netscape browsers to special case the value of "deleted". I can't speak for other programs. Am I missing something here? If so, please give step-by-step details for a procedure to demonstrate the problem and then reopen this bug report.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
The following comments were received by reporter in private e-mail. Posting here with reporter's permission. ===================================== > The correct way to delete acookie is to set it to a null value. Ok, taken. The cookie set has a time value in the past. I will need to re-read the cookie specs to find out if a cookie that has already expired is allowed to be re-transmitted from the browser to the server. >That site doesn't appear to be setting any cookies nor does it present > a login form. The site was moved :( Please go to http://keystone.whitepj.net/keystone/index.php3 > please give step-by-step details for a procedure to demonstrate the >problem and then reopen this bug report. This is not so easy as checking this requires a live installation with a passworded account. So your best bet (since my installation is in RFC-space anyway)is to download the ~200-300k of PHP stuff and set a private copy up. Apart from a PHP installation you also need MySQL for this system to run (PostgreSQL doesn't appear to work similarly well). Once you have it running, I suggest the following test procedure (which should work): - set keystone up so that logging is rather verbose (ie, there are some variables in conf/keystone.conf that you can set to get this, mine are: $sys_logfile = "logs/keystone.log"; $sys_loginfo =1; $sys_logerr =1; $sys_logdebug=1; - in the admin interface, create a user with a password - go to http://my.keystone.installation/keystone/nbrowse.php3 _without_ having any accounts in your mozilla yet (doing this with Netscape reveals what the values of the cookies are, as it seems). - you will see "not logged in" and a link to the login page (index.php3). click that link. - you will be asked to have a cookie set. this is the one saying "keycookie=deleted", expiry on the Epoch. - you have your password manager remember that account data. - click login (left form), and see that another cookie is to be set. this one contains your login name and some encrypted stuff. This works with Netscape 4.77, but not Mozilla 0.9.5 since Mozilla sends the cookie that is already expired, and Netscape does not.
> I will need to re-read the cookie specs to find > out if a cookie that has already expired is allowed > to be re-transmitted from the browser to the server. No, it is not allowed to be re-transmitted once it has expired. If you have evidence that that is happening (and preferably with a simple test case), open a bug report on that. > This is not so easy as checking this requires a live installation with a > passworded account. So your best bet ... The procedure you gave here is much too complicated. Could you come up with a simple test case that demonstrates the problem that you are experiencing.
Following additional comments were received from report who is having some sort of problem posting to this bug report directly. ===================== well. If an expiry time of 0 seconds since the Epoch (as opposed to no explicit expiry time) is not a special case, then having an expiry time of 0 seconds since the epoch marks a cookie in the past. For such a cookie, I can post snippets from my log files, if this is useful. Seeing the initial cookie with the aforementioned expiry time can be exercised by going to the page I mentioned before, http://keystone.whitepj.net/keystone/index.php3 I don't have valid login data for this site, however, so you can't see the rest of the problem. [ in the meantime I skimmed RFC2109 which says that a cookie with Expiry delta = 0 is to be discarded immediately, together with any other cookie of the same name, domain and URI path ] Well, to verify the problem you need something that sets a cookie with the specified problem (I don't have an appropriate script ready), and which logs or displays any cookies you send it. Then you just go to this script and see the cookie values the browser sends. Is there something in mozilla that I can use to "turn on debugging" so to say? Something like a switch that allows me to enable a bunch of fprintf(STERR, ...)'s, for instance?
Yes, a cookie with an expire time of 0 (or with no expire time specified) is special-cased -- it is treated as a session cookie. The reference that you found in 2109 has to do with max-age and not with expire. It states: Max-Age=delta-seconds Optional. The Max-Age attribute defines the lifetime of the cookie, in seconds. The delta-seconds value is a decimal non- negative integer. After delta-seconds seconds elapse, the client should discard the cookie. A value of zero means the cookie should be discarded immediately.
V/invalid.
QA Contact: tever → benc
Summary: cookie based login doesn't work properly → login doesn't work properly (Expires: 1970-01-01 00:00)
You need to log in before you can comment on or make changes to this bug.