Closed Bug 24679 Opened 26 years ago Closed 25 years ago

Problems logging on to Etrade

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 40449

People

(Reporter: tever, Assigned: neeti)

References

(
URL
)

Details

(Keywords: relnote, Whiteboard: [nsbeta2+]time problem? ETA 7/28)

Overview Description: Cannot log in without getting a warning about using a cached login page. When you select the supplied link to 'Logout' you can then access the etrade site. This happens only during the first attempt at logging in. Steps to Reproduce: 1.) Go to etrade site 2.) Login with user name / password 3.) Actual Results: Get message that you can not log in from cached page. Expected Results: I shouldn't get this message and should be able to access etrade. Build Date & Platform Bug Found: 2000012108 NT Additional Builds and Platforms Tested On: seems to work on linux, can't test the mac presently Additional Information:
re-assigning QA contact to myself.
QA Contact: junruh → tever
setting milestone optimistically.
Target Milestone: M14
adding beta1 keyword and setting m14 checkpoint.
Status: NEW → ASSIGNED
Keywords: beta1
Putting on PDT+ radar for beta1.
Whiteboard: [PDT+]
I have see this but is hard to reproduce. are you using single signon?
yeah, I was using single sign on. Haven't been able to reproduce this with it disabled.
Whiteboard: [PDT+] → [PDT+] eta. 2days
From what I can gather: There are three cookies being set on the client. The first is for the form element. The second is a cookie that describes the session: <set-cookie> <gx_session_id_User_login_session=62c49d0e026ce2d8> This gets set on both commercial mozilla or netscape 4.7. The next cookie is <set-cookie> <etcustomer=XXXXXXXXXXXXXXXXXXXXXX; secure> (there is real data in this, but I do not know how secure it is so I X'ed it out) This however, is only set when a successful login happens. When running 4.7, I get this cookie set every time. If I run with mozilla, I only get this cookie set on the second attempt. What happens instead is the gx_session_id_User_login_session is reset to another value and the etcustomer cookie is never set! Now, here is why I think it is a site problem. If I change my user agent string to what 4.7 is: Mozilla/4.7 [en] (WinNT; U) I can log in without any problems! I have sent an email to seamonkey-internal and cartman-dev for contact information at etrade.
Whiteboard: [PDT+] eta. 2days → [PDT+] Problem with etrade's site
valeski, just mentioned that it might be the user agent string that we are sending without a security level. testing.
Whiteboard: [PDT+] Problem with etrade's site → [PDT+]
I tried: Mozilla/5.0m13 (Windows; U; NT4.0; en-US) (notice the 'U'). This did not work.
I tried: Mozilla/5.0m13 (Windows; U; NT4.0; en-US) (notice the 'U'). This did not work.
Whiteboard: [PDT+] → [PDT+] user agent problem? (2 days)
*** Bug 22974 has been marked as a duplicate of this bug. ***
if I remove the milestone from the user agent I can log on sucessfully the first time.
Blocks: 3688
grabbing this one. I have a fix (to remove the milestone as part of the version string).
Assignee: dougt → valeski
Status: ASSIGNED → NEW
Hang on, folks; we may not necessarily want to strip this out of the builds so fast; here's some detail to help make the call. Christine Begle is on the verge of publishing the formal mozilla user agent string proposal for public review. That proposal includes, immediately after the initial 5.xyz major/minor version (where xyz is zero-filled integers, e.g. 001), the option of appending an initial-alphabetic-char suffix such as "m13" or "b1". Such suffixes were put in the proposal to enable the designation of pre-release milestone or beta builds (but could be used for any purpose). This "suffix feature" of the user agent proposal has been put in on the assumption that it should not cause many client sniffers trouble, because: 1) such suffixes have been used in the past, e.g. by Nav4.x betas 2) most client sniffers use something like parseInt or parseFloat to get as much of the leading numbers as they care about; such sniffers won't be harmed by an initial-alpha suffix. I don't recall any particular concerns about sniffer-compatibility being raised for the suffix proposal during the thread on netlib. Even to a sniffer-compatibility fascist like myself, it seemed relatively safe at the time. This assumption that suffixes will be sniffer-safe may or may not be correct. I *suspect* that etrade is a rare counterexample. There are only three possible things we can do to settle the question: 1) put the suffix in our daily builds and test 2) put the suffix in the M14 or M15 milestone and see if wide usage causes problems 3) post cbegle's draft proposal for public review (this should happen any day now) If these suffixes are going to raise general hell, we *definitely* want to find out about it ASAP. Even if we don't want to jeopardize M14/beta1 with suffixes, we definitely want the suffix in as part of dailies and M15 if we're going to keep it as part of our formal userAgent string proposal. In the meantime I will do the following: 1) fix the sample text in the existing userAgent-notification template to be up-to-date and compliant with our proposal 2) create a new notification template ("Update your client sniffer to be suffix friendly ...") to handle cases such as etrade's where the suffix turns out to cause a problem If the milestone suffix turns out to raise hell on many sites, then obviously we'll rev the userAgent proposal to come up with a solution. Because we've discovered with etrade that this expected-to-be-harmless change can break at least one site, we may wish take the following approach: a) take the suffix out for m14 and beta1 (to avoid jeopardizing the perception of beta) b) put it in the dailies and in M15 to evaluate how widespread the problem is c) decide based on feedback to dailies and M15 whether to keep suffixes as part of our proposal Moral of the story: we can't be too conservative on backward compatibility when it comes to userAgent strings. Adding cbegle to the cc:.
Whiteboard: [PDT+] user agent problem? (2 days) → [PDT+] user agent: backward compatibility or not?
Per jar's decision, acting for the PDT, valeski, please go ahead and remove the m13 string from Netscape's branded product. Netscape will decide whether it needs to differentiate its beta builds from its final product in the useragent string, and if so, we will do so in some way that avoids violating the mozilla useragent string specification and also avoids breaking major web sites. I am opening a thread on n.p.m.netlib as in light of the etrade problem the mozilla.org community may choose to re-evaluate this part of the proposed specification.
just pulled it, if you want to test w/ a string after the app version, set this pref. pref("general.milestone", "");
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Can we make that pref be useragent.milestone or perhaps useragent.minorversion?
The pref is a hack till we get a better handle on the agent string format. IMO, we shouldn't waste much time with this more than temporary pref. Thanks, Jim (PDT+ addict) Roskind
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
verified: Commercial build WinNT 2000022108
Status: RESOLVED → VERIFIED
I'm still seeing this bug as of today's commercial build. When I try to logon to Etrade I get the same cach error bug. If I attempt to logout per etrade's link, I still can't log in. This bug is intermittent however - I have on occassion been able to log in to etrade. But the majority of the time, including today, I can't log in. Reopening bug.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
over to doug per his request
Assignee: valeski → dougt
Status: REOPENED → NEW
chriss, Are you using a migrated profile? Can you reproduce this? If you can, please open up the Cookie Manage and tell me what cookie you have from the trading.etrade.com domain. A sure-fire workaround is to delete any cookies from this domain, and try again. Etrade has a three cookies it uses for a logon. If any do not get set, or are wrong, you will not be able to log in.
Keywords: relnote
Whiteboard: [PDT+] user agent: backward compatibility or not? → [PDT+]
I verified that this is *not* a user agent string problem.
What is the status of this bug? The last comment was last friday... Are we going to have to release note access to etrade? :-( Please update the status whiteboard with info, or suggest other folks that we can get involved to get you some help. Thanks, Jim
Whiteboard: [PDT+] → [PDT+] cookie problem? investigating
It looks like it is some timing issue. If I stay a while on the login page (more than 10-30 seconds), I will not be allowed to log on. On the other hand, if I login under a few seconds, it get on. still looking.
Whiteboard: [PDT+] cookie problem? investigating → [PDT+] able to reproduce it now.
I added code to http to print out all the requests/responses. I ran the same procedure twice, but differed on how long I would wait on the login page (if you wait too long, you can on log in). On the "long delay" run, the responses are out of order. I am not sure if this is related. Here is that printout: RESPONSE order for the sucessful login: -----RESPONSE: <content-type> <image/gif> -----RESPONSE: <pragma> <no-cache> -----RESPONSE: <cache-control> <private, no-cache> -----RESPONSE: <content-length> <43> -----RESPONSE: <server> <Netscape-Enterprise/3.6 SP2> -----RESPONSE: <date> <Thu, 09 Mar 2000 02:10:14 GMT> -----RESPONSE: <requeststartsec> <952567814> -----RESPONSE: <requeststartusec> <881319> -----RESPONSE: <content-type> <image/gif> -----RESPONSE: <connection> <close> Here is the unsuccessful RESPONSE: -----RESPONSE: <server> <Netscape-Enterprise/3.6 SP2> -----RESPONSE: <date> <Thu, 09 Mar 2000 02:12:16 GMT> -----RESPONSE: <requeststartsec> <952567937> -----RESPONSE: <requeststartusec> <155468> -----RESPONSE: <content-type> <image/gif> -----RESPONSE: <connection> <close> -----RESPONSE: <content-type> <image/gif> -----RESPONSE: <pragma> <no-cache> -----RESPONSE: <cache-control> <private, no-cache> -----RESPONSE: <content-length> <43> Note that the close is premature. Also, I am unfamilar with the http "requeststartsec". Could we have a time interval bug, (eg. minutes ?= seconds) Also another interesting piece of data is that on a unsuccessful login, the *wrong* cookie is being set. I am not sure how this could happpen on the client. Successful RESPONSE (cookie change for my security): -----RESPONSE: <set-cookie> <etcustomer=XXXXXXXXXXXXXXXXXXXXXX; secure> Unsuccessful RESPONSE: -----RESPONSE: <set-cookie> <gx_session_id_User_login_session=65bd28732cd5cd1a>
Whiteboard: [PDT+] able to reproduce it now. → [PDT+] time problem?
You might want Gagan to own this one.
Doug, I see that you are using my added code to display the headers. I wrote that at a time when the traceplus sniffer was not working with mozilla. But mozilla has changed and it once again can be sniffed. So try using traceplus and see what it has to say in the two cases.
steve, I could not get traceplus to work with cartman. When I send() to a traceplus(cartman), it never receives.
IMO, this should be release noted, as it seems like there is a work-around (and it is unclear what the problem is). Am I correct that you can *consistently* log in, so long as you don't "wait too long" on the login page? (Long defined to be "submit user name and password in about 10-30 seconds).
jar, you are correct: if you idle to long on the login page, you can not login. Gagan mentioned that this problem *might* be related to: http://bugzilla.mozilla.org/show_bug.cgi?id=29610 Release noting this would be okay with me. The last dozen trades that I have made have been using the netscape build.
This sounds like it could become a release note. I'm removing the PDT+, to get a re-eval.
Whiteboard: [PDT+] time problem? → time problem?
Putting on PDT- radar for beta1.
Whiteboard: time problem? → [PDT-]time problem?
I have a similar problem, I try to login, it says I have to log out, I do, then I can log in again. I encounter it every time I start mozilla and go to ETrade's home page. I'm having the problem with the linux version, but it won't let me change the OS field.
Blocks: 13785
per warren's comment a while ago, over to gagan.
Assignee: dougt → gagan
Moving to M15
Target Milestone: M14 → M15
Target Milestone: M15 → M16
Moving to M17 which is now considered part of beta2.
Target Milestone: M16 → M17
I just logged in fine using the beta on winnt
*** Bug 33367 has been marked as a duplicate of this bug. ***
don't think it's our problem but we can take a look
Assignee: gagan → ruslan
Keywords: beta2
Keywords: nsbeta2
*** Bug 36860 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
Putting on [NEED INFO]. ekrock, can you help us get an etrade contact to help us with this?
Whiteboard: [PDT-]time problem? → [NEED INFO][PDT-]time problem?
Jan, what kind of help do you want? A QA analyst? A sysadmin to provide info about their server? Please specify and then ask Dawn to try to track down a contact.
Whiteboard: [NEED INFO][PDT-]time problem? → [PDT-]time problem?
Clearing old [PDT-] from beta1 to trigger re-evaluation. Per clarification in seamonkey leads today, this qualifies as a nsbeta2 bug as it's a major service site.
Whiteboard: [PDT-]time problem? → time problem?
Please not that the browser is usable with E*Trade. You can always log in/log out. It would just display the status as "Logged in" and you'll have to log out and log in back. This sometimes happens with NS4 as well and it's most likely some tedious cookie parsing/syntax problem.
putting on nsbeta2- radar.
Whiteboard: time problem? → [nsbeta2-] time problem?
is the current build still usable on e-trade for most people. Its not for me. I saw the "your loading from cache..." message first time, and then couldn't get http://www.etrade.com to load; just got a never ending progress bar... stopped the page load after 439 seconds with no response...
I can load it with the build which is 2 days old. It's definitely not the original problem
Ok. Just been looking at the other bug while using eTrade - it seems like it only does this when the cache is being used and is not empty. We send if-modified-since on the page which is not cacheable and that how the thing determines that we're not doing the clean log in. Over to neeti
Assignee: ruslan → neeti
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
taking the nsbeta2- off. some good sized subset of the beta2 users not being able to get on etrade would be bad. I'd think we would take a good low risk fix for this if one shows up on the table.
Whiteboard: [nsbeta2-] time problem? → time problem?
Putting on [nsbeta2+] radar.
Whiteboard: time problem? → [nsbeta2+]time problem?
Putting on 7/28 ETA...gagan to work with neeti on this.
Whiteboard: [nsbeta2+]time problem? → [nsbeta2+]time problem? ETA 7/28
hey! this is a dup of bug 40449 *** This bug has been marked as a duplicate of 40449 ***
Status: ASSIGNED → RESOLVED
Closed: 26 years ago25 years ago
Resolution: --- → DUPLICATE
verif. Dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.