Closed Bug 113331 Opened 24 years ago Closed 23 years ago

can't log into AGEdwards

Categories

(Core :: Networking: Cookies, defect)

x86
All
defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla0.9.8

People

(Reporter: rginda, Assigned: morse)

References

()

Details

Attachments

(1 file)

I can't log into my AGEdwards account with 0.9.6, but I can with 0.9.5. The script at <http://www.agedwards.com/BCJVerification.js> doesn't seem to be able to set a cookie named "BCJ_COOKIE", which it uses to figure out if the client supports cookies. You don't need an account to see the problem, just go to <https://www.agedwards.com/ageconnect/ageclogin>. In 0.9.5 I am presented with username and password fields, in 0.9.6 I get redirected to <https://www.agedwards.com/bcj/CookieNotSetErr.html>. To watch it f(l)ail, start the JavaScript Debugger (*before* loading the acelogin), type "fbreak BCJVerification.js 3", and load the acelogin url. You'll be able to single step through the JS and watch the cookie not get set. This happens on NT *and* Linux, running 0.9.6.
this may be related to bug 110501.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.8
Changing OS to ALL and adding URL
Keywords: nsbeta1
Reason this is failing is that server is sending back a max-age=-1 on the cookie. That's not valid. Here's what rfc2109 has to say about that: Max-Age=delta-seconds Optional. The Max-Age attribute defines the lifetime of the cookie, in seconds. The delta-seconds value is a decimal non- negative integer. After delta-seconds seconds elapse, the client should discard the cookie. A value of zero means the cookie should be discarded immediately. What's happening is that mozilla is treating the max-age of -1 as a request that the cookie be expired one second ago. In other words, it expires the cookie immediately. Reason this website worked in 0.9.5 is because only recently did mozilla start to recognize the max-age attribute. And Netscape 4 never recognized this attribute which is why this site works on N4. I don't know what IE does with a negative max-age, so I can't answer as to why the site is working with IE. OK, the site is sending back an invalid cookie (negative max-age) so we can't be faulted for rejecting it. But since this site works with IE and with nav4, we need to do something intelligent so as to allow this site to function correctly. The obvious thing is to completely ignore the max-age attribute if it has a negative value. Since there is no other expires information, this cookie will expire at the end of the session which is probably what the site intended. Will create a patch to ignore negative max-age attributes.
cc'ing alecf and sgehani for reviews
Comment on attachment 62961 [details] [diff] [review] ignore negative max-age on set-cookie requests oh that's nasty. Maybe we can get Netscape evangelism to get them to fix their site? it seems like maybe their server is just broken? I guess I'm not hugely excited about working around this... sr=alecf in the meantime though.
Attachment #62961 - Flags: superreview+
It's not just this one site. Tomorrow we'll get bug reports about other sites that work on IE and nav4 but fail on mozilla. We can't win the game on evangalism alone -- we instead have to be compatible with what the other popular browsers do. So this is not just an "in the meantime" fix.
Comment on attachment 62961 [details] [diff] [review] ignore negative max-age on set-cookie requests r=sgehani I agree that we should ignore invalid values sent by the server. This is a robust solution erring on the side of making things work. In the event that the max-age value is not a number atoi() will return 0.
Attachment #62961 - Flags: review+
Patch checked in
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
verified - negative max-age ignored, presented with AGe-connect Log-In page: Win NT4 2002010303 Linux rh6 2002010308 Mac osX 2002010308
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: