Closed Bug 121685 Opened 23 years ago Closed 23 years ago

Expired cookies still returned to server if next request within one second or redirect

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: mj, Assigned: morse)

References

(
URL
)

Details

Attachments

(1 file)

immediately expiring cookies with max-age of 0
1.27 KB, patch
samir_bugzilla
: review+
jag+mozilla
: superreview+
Details | Diff | Splinter Review
Problem: When a server send a Set- Cookie header with Max-Age of 0 and a Expires far in the past to force deletion of a cookie, the contents of this cookie still get send to the server if the next request is within the same second. This happens when the server issues a redirect with the response that deletes the cookie, for example. It may be that in fact only the redirect is at fault, I haven't investigated other scenarios. To reproduce: - Use a logging proxy or whatever takes you fancy to monitor server-browser traffic and headers. - Go to the bug link. This will log you in on a test site under the username moz_bug_test, and set a cookie with the name '__ac'. For your convenience, the link is: http://new.zope.org/logged_in?__ac_name=moz_bug_test&__ac_password=5ecret - Click on the 'Log out' link in the lighter blue bar at the top, or go to http://new.zope.org/logout - The server will issue a 302 Moved Temporarily with a Set-Cookie header that should delete the __ac cookie. - The response redirects the browser to http://new.zope.org/logged_out, and Mozilla will still include a Cookie header for __ac in the request for that URL. The test site will show a server side error on authentication as the contents of the cookie are invalid; the server never expected to get to see it again. - The error page includes a reference to a stylesheet and some images, requests for these do not include the cookie anymore. (This bug report was submitted using Galeon 1.0.2, but the bug was confirmed on the Debian packaging of Mozilla 0.9.7, which includes some Moz CVS patches, User Agent is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20020121)
Note that a max-age overrides an expire header if both are present. So the fact that the expire header has a date far in the past has no effect here. However a max-age of zero should cause the cookie to be expired immediately, so this is a bug. However, as a work-around, the site should remove the max-age header and just keep the expire header.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.9
Removing the max-age=0 key-value pair from the cookie would require changing the Zope response framework code (it's a library method), a change which wouldn't be user visible until the next Zope release; Mozilla 0.9.9 will be out by then. Also, as this problem is with specific Mozilla versions only, and removing max-age may break other browsers that rely on it, we'll just advise people to down- or upgrade Mozilla, or simply wait. This particular manifestation of this problem on our software is purely cosmetic. Thanks!
Keywords: nsbeta1
Comment on attachment 68353 [details] [diff] [review] immediately expiring cookies with max-age of 0 r=sgehani
Attachment #68353 - Flags: review+
Comment on attachment 68353 [details] [diff] [review] immediately expiring cookies with max-age of 0 sr=jag
Attachment #68353 - Flags: superreview+
This was checked in yesterday. Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: