Closed Bug 240963 Opened 21 years ago Closed 21 years ago

short cookie lifetime overridden by "limit to current session" setting

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mozilla, Assigned: mvl)

Details

(Keywords: fixed-aviary1.0, fixed1.7.5)

Attachments

(3 files)

also check expiry for session cookies
5.88 KB, patch
dwitte
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
1.7 branch fix
6.83 KB, patch
mkaply
: approval1.7.5+
Details | Diff | Splinter Review
update idl comments
2.71 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124 If the "limit maximum lifetime of cookies to" preference is set to "current session", even cookies that expire before the end of the session survive until the session is closed. IMHO this is a bug because the name of this setting implies that no cookie will live longer than the session, not that all cookies survive until the end of the session. Reproducible: Always Steps to Reproduce: 1. Set "limit maximum lifetime of cookies to current session". 2. Install a cookie that expires afer N minutes. 3. Wait N + x minutes (x > 0). Actual Results: The cookie is still there. Expected Results: The cookie should have been removed.
Are you sure the expired cookies are "active" and accessible? Perhaps cookies are only deleted at the session end? Creating a Cookie Log http://www.mozilla.org/projects/netlib/cookies/cookie-log.html
Yes, the expired cookies are still active (i.e. sent to the server) after the expiration date.
from nsCookiePermission.cpp: 432 // we're not prompting, so we must be limiting the lifetime somehow 433 // if it's a session cookie, we do nothing 434 if (!*aIsSession && delta > nsInt64(0)) { Imagine that check is removed. That would make a session cookie have a expiry date. Would that expire it when either the session is closed or the expiry time comes?
what type of logic could we use to determine whether we should limit or not? other than an arbitrary length of time, I'm not seeing anything that we could really use for this. mvl: if its a session cookie already, it'll stay a session cookie, that check just skips any of the lifetime limiting/calculation code if its already a session cookie. what's delta for a session cookie?
this is a valid bug, confirming; although it may end up being wontfix. there is no delta for a session cookie; they have no expiry time defined. fixing this bug would probably involve keeping expirytime and isSession attributes around for every cookie, and then applying the more restrictive of the two. for instance, a cookie is set that expires in 5 seconds; the user pref to limit lifetime to session has been set, so we "downgrade" it to a session cookie; when we next go to send that cookie back to the server in the same session, we note that it's already expired and dump it. this will introduce a tad more complexity... what say you, cookie ui peer? :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
this brings up the issue of "what do we show in cookie viewer" if we're maintaining both in memory. I don't think there's a good answer for that. One or the other would be just plain wrong. I guess the question is "how harmful is this really? and in what situations?"
oh, and same logic necessarily applies to prompts and site perms too, so now we're looking for some logic to deduce when "accept for session" really means "leave the damn thing alone"
Could you guys explain what you mean by "session cookie"? Seems I'm missing the point here. :-)
a session cookie is one that persists until the browser is closed, and is a valid type of cookie (contrast this to a cookie with a given expiry time). see rfc 2109 to learn more about the various properties of cookies.
session cookies are generally set by servers to expire at the end of the current session. Any of the limit to session options apply this type of expiry to each cookie, meaning you get the bug seen here.
So why does Mozilla "downgrade" a cookie with expiration date to a session cookie? This is counter-intuitive from the end user's point of view (as you can see :-). I'd expect the "limit to session" option to pay attention to the expiration dates and remove all cookies when the browser is closed. Would this really be difficult to implement? I'm not familiar with the source code but if this option is disabled Mozilla has to keep track of expiration dates for every cookie anyway, doesn't it?
I think checking for expiry time even if the cookie is a session cookie won't be a problem. It is just removing a few checks, like: (from nsCookieService) 575 // check if the cookie has expired 576 if (!cookie->IsSession() && cookie->Expiry() <= currentTime) { 577 continue; 578 } Remove the IsSession() check. The UI in the cookie mgr is a problem though, as there are two reasons for the cookie to expire, not just one (a date or end of session)
it's not quite that simple... we'd have to init the expiry time for true session cookies to LL_MAXINT first.
We kind of assume that a user selecting this has some idea of what they are doing. In theory ANY cookie lifetime that changes could eventually outlast the original expiration period. Sessions are theoretically unlimited. Servers should know how to revoke stale cookies.
Something like this. The cookie manager magicly still works, due to the difference between nsICookie::GetExpires and nsICookie2::GetExpiry. I don't know why we have two, but it comes in handy here :) It doesn't get confused by the large expiry time by default. GetExpires checks for IsSession first. For a downgraded cookie, it says it will expire at the end of the session. Is that a problem? I don't know what a user will expect. If it doesn't say that it is a session cookie, they will think it didn't work. But it might go away before the session is closed. mconnor?
Assignee: darin → mvl
Status: NEW → ASSIGNED
Attachment #146944 - Flags: review?(dwitte)
Comment on attachment 146944 [details] [diff] [review] also check expiry for session cookies >Index: netwerk/cookie/src/nsCookieService.cpp >=================================================================== > nsCookieAttributes cookieAttributes; >+ cookieAttributes.expiryTime = LL_MAXINT; please put a comment here explaining why the init... maybe: // init expiryTime such that session cookies won't prematurely expire and of course, if you get your way, this might end up being currentTime + 12 hours instead of LL_MAXINT :) also, you missed a case at http://lxr.mozilla.org/seamonkey/source/netwerk/cookie/src/nsCookieService.cpp# 1971, please remove the IsSession check there... it's unnecessary now. looks good, r=me
Attachment #146944 - Flags: review?(dwitte) → review+
Comment on attachment 146944 [details] [diff] [review] also check expiry for session cookies Consider those review comments to be fixed.
Attachment #146944 - Flags: superreview?(darin)
Attachment #146944 - Flags: superreview?(darin) → superreview+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Attached patch 1.7 branch fixSplinter Review
Seeing this in 1.7 as "expired cookies with a value of "deleted" are saved then the site is session-whitelisted." (Branch fix attached.)
you might want to request approval1.7.2 on the patch.
Attachment #152864 - Flags: approval1.7.2?
Comment on attachment 152864 [details] [diff] [review] 1.7 branch fix a=mkaply for 1.7.2
Attachment #152864 - Flags: approval1.7.2? → approval1.7.2+
Would someone sufficiently CVS permed mind checking the branch fix in?
Keywords: fixed-aviary1.0
fixed on 1.7 branch.
Keywords: fixed1.7.2
the fix for this bug didn't update the relevant documentation in the nsICookie2 and nsICookieManager2 interfaces. i've updated these comments on trunk per this patch.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: