Persona authentication in people.mozilla.com loops when using HTTP

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: sfink, Assigned: gozer)

Tracking

Details

(Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/168] )

(Reporter)

Description

4 years ago
I decided to try out the Persona authentication advertised when I log into people.mozilla.com. I created a file ~sfink/public_html/private/.htaccess with:

  AuthType Persona
  Require valid-user

Then I tried navigating to http://people.mozilla.org/~sfink/private/

It gave me the Persona login stuff. I logged in, and it sent me into some sort of infinite reload loop.

It looks like I'm sending a handful of cookies with each request, none of them appearing to be Persona cookies. There are a flurry of requests, ending with a POST to http://people.mozilla.org/~sfink/private/ . The request had these cookies: optimizelySegmeents, optimizelyEndUserId, optimizelyBuckets, _ga, __utmz, __utma. Then it reloads.

If I click on the 200 status code in the network log for that POST, I see in the "Sent Cookie" section the two cookies "can_set_cookies: 1" and "browserid_state: IYV4_...". The response headers are:

X-Powered-By:	Express
x-frame-options:	DENY
X-Content-Type-Options:	nosniff
Strict-Transport-Security:	max-age=10886400; includeSubdomains
Server:	nginx/1.6.0
Date:	Tue, 03 Jun 2014 20:15:15 GMT
Content-Type:	application/json; charset=utf-8
content-security-policy:	default-src 'none'; script-src 'self' https://static.login.persona.org; style-src 'self' 'unsafe-inline' https://static.login.persona.org; connect-src 'self'; font-src 'self'; img-src *; frame-src *;
Content-Length:	189
Connection:	keep-alive
Cache-Control:	no-cache, max-age=0

I don't know what triggers the reload. And I have no clue what component this bug should go in.
(Reporter)

Comment 1

4 years ago
Oh, right. And in the reload loop, the initial GET is getting back a 401. I do not see any relevant cookies getting sent with that request.

Aha! It's because I'm using http instead of https. It works with https.

The Persona cookie I have is for secure connections only.
(Reporter)

Updated

4 years ago
Summary: Persona authentication in people.mozilla.com loops → Persona authentication in people.mozilla.com loops when using HTTP
(Assignee)

Updated

4 years ago
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/168]
(Assignee)

Updated

4 years ago
Assignee: server-ops-webops → gozer
(Assignee)

Comment 2

4 years ago
That's why assing SSLRequireSSL On is a good idea...
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Reporter)

Comment 3

4 years ago
(In reply to Philippe M. Chiasson (:gozer) from comment #2)
> That's why assing SSLRequireSSL On is a good idea...

So then can we have the moral equivalent of

<?php

header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

?>

stuck into a /ssl-redirect.php (or .cgi or whatever) of the people.mozilla.org server, to improve the user experience in that case? I added

ErrorDocument 403 /~sfink/403.txt

to my .htaccess file, which just says "you gotta use HTTPS for that", but the redirect would be nicer. (And I can't do it myself, since I don't think the people server allows users to do any server-side scripting of any sort. Correct me if I'm wrong.)
You need to log in before you can comment on or make changes to this bug.