can't log into AGEdwards

VERIFIED FIXED in mozilla0.9.8

Status

()

VERIFIED FIXED
17 years ago
17 years ago

People

(Reporter: rginda, Assigned: morse)

Tracking

Trunk
mozilla0.9.8
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
I can't log into my AGEdwards account with 0.9.6, but I can with 0.9.5.

The script at <http://www.agedwards.com/BCJVerification.js> doesn't seem to be
able to set a cookie named "BCJ_COOKIE", which it uses to figure out if the
client supports cookies.

You don't need an account to see the problem, just go to
<https://www.agedwards.com/ageconnect/ageclogin>.  In 0.9.5 I am presented with
username and password fields, in 0.9.6 I get redirected to
<https://www.agedwards.com/bcj/CookieNotSetErr.html>.

To watch it f(l)ail, start the JavaScript Debugger (*before* loading the
acelogin), type "fbreak BCJVerification.js 3", and load the acelogin url. 
You'll be able to single step through the JS and watch the cookie not get set.

This happens on NT *and* Linux, running 0.9.6.
(Reporter)

Comment 1

17 years ago
this may be related to bug 110501.
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.8

Comment 2

17 years ago
Changing OS to ALL and adding URL
OS: Linux → All
(Assignee)

Updated

17 years ago
Keywords: nsbeta1
(Assignee)

Comment 3

17 years ago
Reason this is failing is that server is sending back a max-age=-1 on the 
cookie.  That's not valid.  Here's what rfc2109 has to say about that:

   Max-Age=delta-seconds 
     Optional. The Max-Age attribute defines the lifetime of the cookie,
     in seconds. The delta-seconds value is a decimal non- negative integer.
     After delta-seconds seconds elapse, the client should discard the cookie.
     A value of zero means the cookie should be discarded immediately. 

What's happening is that mozilla is treating the max-age of -1 as a request that 
the cookie be expired one second ago.  In other words, it expires the cookie 
immediately.

Reason this website worked in 0.9.5 is because only recently did mozilla 
start to recognize the max-age attribute.  And Netscape 4 never recognized this 
attribute which is why this site works on N4.  I don't know what IE does with a 
negative max-age, so I can't answer as to why the site is working with IE.

OK, the site is sending back an invalid cookie (negative max-age) so we can't be 
faulted for rejecting it.  But since this site works with IE and with nav4, we 
need to do something intelligent so as to allow this site to function correctly.  
The obvious thing is to completely ignore the max-age attribute if it has a 
negative value.  Since there is no other expires information, this cookie will 
expire at the end of the session which is probably what the site intended.

Will create a patch to ignore negative max-age attributes.
(Assignee)

Comment 4

17 years ago
Created attachment 62961 [details] [diff] [review]
ignore negative max-age on set-cookie requests
(Assignee)

Comment 5

17 years ago
cc'ing alecf and sgehani for reviews

Comment 6

17 years ago
Comment on attachment 62961 [details] [diff] [review]
ignore negative max-age on set-cookie requests

oh that's nasty. Maybe we can get Netscape evangelism to get them to fix their
site? it seems like maybe their server is just broken? I guess I'm not hugely
excited about working around this...

sr=alecf in the meantime though.
Attachment #62961 - Flags: superreview+
(Assignee)

Comment 7

17 years ago
It's not just this one site.  Tomorrow we'll get bug reports about other sites 
that work on IE and nav4 but fail on mozilla.  We can't win the game on 
evangalism alone -- we instead have to be compatible with what the other popular 
browsers do.  So this is not just an "in the meantime" fix.

Comment 8

17 years ago
Comment on attachment 62961 [details] [diff] [review]
ignore negative max-age on set-cookie requests

r=sgehani

I agree that we should ignore invalid values sent by the server.  This is a
robust solution erring on the side of making things work.  In the event that
the max-age value is not a number atoi() will return 0.
Attachment #62961 - Flags: review+
(Assignee)

Comment 9

17 years ago
Patch checked in
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 10

17 years ago
verified - negative max-age ignored, presented with AGe-connect Log-In page:

Win NT4 2002010303
Linux rh6 2002010308
Mac osX 2002010308
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.