Persona authentication in loops when using HTTP



4 years ago
4 years ago


(Reporter: sfink, Assigned: gozer)



(Whiteboard: [kanban:] )



4 years ago
I decided to try out the Persona authentication advertised when I log into I created a file ~sfink/public_html/private/.htaccess with:

  AuthType Persona
  Require valid-user

Then I tried navigating to

It gave me the Persona login stuff. I logged in, and it sent me into some sort of infinite reload loop.

It looks like I'm sending a handful of cookies with each request, none of them appearing to be Persona cookies. There are a flurry of requests, ending with a POST to . The request had these cookies: optimizelySegmeents, optimizelyEndUserId, optimizelyBuckets, _ga, __utmz, __utma. Then it reloads.

If I click on the 200 status code in the network log for that POST, I see in the "Sent Cookie" section the two cookies "can_set_cookies: 1" and "browserid_state: IYV4_...". The response headers are:

X-Powered-By:	Express
x-frame-options:	DENY
X-Content-Type-Options:	nosniff
Strict-Transport-Security:	max-age=10886400; includeSubdomains
Server:	nginx/1.6.0
Date:	Tue, 03 Jun 2014 20:15:15 GMT
Content-Type:	application/json; charset=utf-8
content-security-policy:	default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; font-src 'self'; img-src *; frame-src *;
Content-Length:	189
Connection:	keep-alive
Cache-Control:	no-cache, max-age=0

I don't know what triggers the reload. And I have no clue what component this bug should go in.

Comment 1

4 years ago
Oh, right. And in the reload loop, the initial GET is getting back a 401. I do not see any relevant cookies getting sent with that request.

Aha! It's because I'm using http instead of https. It works with https.

The Persona cookie I have is for secure connections only.


4 years ago
Summary: Persona authentication in loops → Persona authentication in loops when using HTTP


4 years ago
Whiteboard: [kanban:]


4 years ago
Assignee: server-ops-webops → gozer

Comment 2

4 years ago
That's why assing SSLRequireSSL On is a good idea...
Last Resolved: 4 years ago
Resolution: --- → FIXED

Comment 3

4 years ago
(In reply to Philippe M. Chiasson (:gozer) from comment #2)
> That's why assing SSLRequireSSL On is a good idea...

So then can we have the moral equivalent of


header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);


stuck into a /ssl-redirect.php (or .cgi or whatever) of the server, to improve the user experience in that case? I added

ErrorDocument 403 /~sfink/403.txt

to my .htaccess file, which just says "you gotta use HTTPS for that", but the redirect would be nicer. (And I can't do it myself, since I don't think the people server allows users to do any server-side scripting of any sort. Correct me if I'm wrong.)
You need to log in before you can comment on or make changes to this bug.