113331 - can't log into AGEdwards

Status: VERIFIED FIXED

(Core :: Networking: Cookies, defect)

Description

[Robert Ginda]

I can't log into my AGEdwards account with 0.9.6, but I can with 0.9.5.

The script at <http://www.agedwards.com/BCJVerification.js> doesn't seem to be
able to set a cookie named "BCJ_COOKIE", which it uses to figure out if the
client supports cookies.

You don't need an account to see the problem, just go to
<https://www.agedwards.com/ageconnect/ageclogin>.  In 0.9.5 I am presented with
username and password fields, in 0.9.6 I get redirected to
<https://www.agedwards.com/bcj/CookieNotSetErr.html>.

To watch it f(l)ail, start the JavaScript Debugger (*before* loading the
acelogin), type "fbreak BCJVerification.js 3", and load the acelogin url. 
You'll be able to single step through the JS and watch the cookie not get set.

This happens on NT *and* Linux, running 0.9.6.

Comment 1

[Robert Ginda]

this may be related to bug 110501.

Comment 2

[Ariel Gonzalez]

Changing OS to ALL and adding URL

Comment 3

[Stephen P. Morse]

Reason this is failing is that server is sending back a max-age=-1 on the 
cookie.  That's not valid.  Here's what rfc2109 has to say about that:

   Max-Age=delta-seconds 
     Optional. The Max-Age attribute defines the lifetime of the cookie,
     in seconds. The delta-seconds value is a decimal non- negative integer.
     After delta-seconds seconds elapse, the client should discard the cookie.
     A value of zero means the cookie should be discarded immediately. 

What's happening is that mozilla is treating the max-age of -1 as a request that 
the cookie be expired one second ago.  In other words, it expires the cookie 
immediately.

Reason this website worked in 0.9.5 is because only recently did mozilla 
start to recognize the max-age attribute.  And Netscape 4 never recognized this 
attribute which is why this site works on N4.  I don't know what IE does with a 
negative max-age, so I can't answer as to why the site is working with IE.

OK, the site is sending back an invalid cookie (negative max-age) so we can't be 
faulted for rejecting it.  But since this site works with IE and with nav4, we 
need to do something intelligent so as to allow this site to function correctly.  
The obvious thing is to completely ignore the max-age attribute if it has a 
negative value.  Since there is no other expires information, this cookie will 
expire at the end of the session which is probably what the site intended.

Will create a patch to ignore negative max-age attributes.

Comment 4

[Stephen P. Morse]

Attachment: ignore negative max-age on set-cookie requests

Comment 5

[Stephen P. Morse]

cc'ing alecf and sgehani for reviews

Comment 6

[Alec Flett]

Comment on attachment 62961 [details] [diff] [review]
ignore negative max-age on set-cookie requests

oh that's nasty. Maybe we can get Netscape evangelism to get them to fix their
site? it seems like maybe their server is just broken? I guess I'm not hugely
excited about working around this...

sr=alecf in the meantime though.

Comment 7

[Stephen P. Morse]

It's not just this one site.  Tomorrow we'll get bug reports about other sites 
that work on IE and nav4 but fail on mozilla.  We can't win the game on 
evangalism alone -- we instead have to be compatible with what the other popular 
browsers do.  So this is not just an "in the meantime" fix.

Comment 8

[Samir Gehani]

Comment on attachment 62961 [details] [diff] [review]
ignore negative max-age on set-cookie requests

r=sgehani

I agree that we should ignore invalid values sent by the server.  This is a
robust solution erring on the side of making things work.  In the event that
the max-age value is not a number atoi() will return 0.

Comment 9

[Stephen P. Morse]

Patch checked in

Comment 10

[Tom Everingham]

verified - negative max-age ignored, presented with AGe-connect Log-In page:

Win NT4 2002010303
Linux rh6 2002010308
Mac osX 2002010308