Closed
Bug 600372
Opened 14 years ago
Closed 14 years ago
Discovery Pane logged in mode not working in prod
Categories
(addons.mozilla.org Graveyard :: Discovery Pane, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
5.12.3
People
(Reporter: fligtar, Assigned: clouserw)
References
()
Details
(Whiteboard: [disco-final])
While logged into AMO, the disco pane (https://services.addons.mozilla.org/en-US/firefox/discovery/3.7pre/Darwin) doesn't show me as logged in. This worked on preview, so guessing there's a problem with services reading the cookie.
Comment 1•14 years ago
|
||
addons.mozilla.org tells me this: Set-Cookie: AMOv3=xxx; path=/; secure; HttpOnly
Assignee | ||
Updated•14 years ago
|
Target Milestone: --- → 5.12.2
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → clouserw
Assignee | ||
Comment 2•14 years ago
|
||
We're using standard domain cookies which means they are only accessible on AMO. We could switch them to *.AMO but that means any other subdomain could see them, including FAMO, BAMO, PAMO, LAMO, and all the rest. I don't trust any of those to see sessions. We may need to XHR this data in after the page load.
Reporter | ||
Comment 3•14 years ago
|
||
Why don't you trust those to see sessions? It seems like accessing the AMO session from other subdomains will be desirable and possibly necessary in the future.
Assignee | ||
Comment 4•14 years ago
|
||
FAMO is one of the most widely targeted and exploited forums on the market, BAMO has a questionable past regarding security, PAMO is not always tested code and can have exploits on it. I don't see lifting the restriction.
Assignee | ||
Comment 5•14 years ago
|
||
So, -> potch for front end stuff. If you need someone to make you a back end chunk, let us know.
Assignee: clouserw → thepotch
Priority: P2 → P3
Assignee | ||
Comment 6•14 years ago
|
||
I'm taking this. Our cookie issues aren't resolved yet, but we're doing it the right way so it'll make this much better once we solve it.
Assignee: thepotch → clouserw
Target Milestone: 5.12.2 → 5.12.3
Assignee | ||
Updated•14 years ago
|
Assignee | ||
Comment 7•14 years ago
|
||
Well, the cookie is cross domain now, so this should just work. We won't know until it's in production though and you'll probably need to log out/in.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 8•14 years ago
|
||
Although I can't verify this _in prod_, I've verified that https://addons.allizom.org/en-US/firefox/discovery/3.6/Linux and the like pay attention to our logged-in/logged-out state, and reflect that correctly, on next/preview. I'll verify post-push.
Comment 9•14 years ago
|
||
I spun off bug 613574 to cover SAMO.
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•