Closed Bug 114709 Opened 23 years ago Closed 23 years ago

Redirection Limit error.

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: ssaux, Assigned: morse)

References

(
URL
)

Details

(Whiteboard: checklinux, checkwin)

Attachments

(1 file)

test for expired cookie before downgrading to session cookie
2.04 KB, patch
samir_bugzilla
: review+
alecf
: superreview+
Details | Diff | Splinter Review 
Build ID: 2001121003
Start moz.
go to http://www.nytimes.com
click on a story link, you get the redirection limit error dialog.
Dismiss the dialog,
click on the link again. 
Page loads.
networking.  Happens on Linux too.
Assignee: asa → darin
Component: Browser-General → Networking: HTTP
OS: Windows 2000 → All
QA Contact: doronr → tever
Hardware: PC → All
ssaux: can you try adjusting the pref:

user_pref("network.http.redirection-limit", 10);

from 10 to something larger and see if this problem goes away?

perhaps we need to make the default for this something larger... or perhaps this
indicates some infinite redirect case on nytimes.com.

thx!

FWIW, I cannot reproduce this with a 12-11 nightly. Looking through a 
packet dump I can't find any loops either.

I would say this shows why including the URL in the error message is 
a good idea.
I tried a few things, but couldn't reproduce.
I'll let you know if it occurs again.
I can reproduce this by visiting https://www.mybroker.co.uk using both 0.9.6 and
build 2001121308-trunk on Linux (Red Hat 7.1 + updates). The problem appears to
be cookie related and in particular, the "Limit maximum lifetime of cookies" 
option in the cookies section of the privacy & security preferences.

Normally I have this option checked and select "current session". If you log in
to the site mentioned with a bogus username & password ('foo' & 'bar' for
instance) it overwrites the (initial) session cookies with new values and a new
expiry date from 1970, and so they should be junked. With the builds mentioned
of Mozilla, the page gets reloaded several times and then if after getting the
"redirection limit exceeded" dialog you view the stored cookies, you'll see that
they are still there and are scheduled to expire at the end of the current session. 

It appears therefore they get (wrongly) presented again to the site when the
failed logon page is retrieved, but as the site uses the cookies to identify the
user and these cookies are bogus, you get immediately redirected again to the
failed logon page. This cycle repeats for ever until the redirection limit
exceeded message pops up.

Fix should be for the cookies to always be junked if they have an expiry date in
the past regardless of the settings in cookie preferences.
-> cookies
Assignee: darin → morse
Component: Networking: HTTP → Cookies
Chris Underhill, thanks for doing the analysis on this.  You are absolutely 
correct -- the problem is being caused by limiting expired cookies to session 
cookie, thereby inadvertantly extending rather than limiting their lifetimes.

Same problem will occur with p3p when it tries to downgrade a cookie to a 
session cookie -- therefore it needs to test for expired cookies before doing 
such downgrading.

Attaching patch that fixes problems.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.8
cc'ing alecf and sgehani for reviews.
Comment on attachment 61887 [details] [diff] [review]
test for expired cookie before downgrading to session cookie

add some comments to the c++ (the JS ones explaint this well) and sr=alecf
Attachment #61887 - Flags: superreview+
An additional thought - some sites use cookies with an expiry date of just a few
minutes in the future as a method of forcing (normal!) users to login again if
they have been idle for too long. AFAICT, if the preferences are set to convert
cookies to all be session cookies, this will no longer work: The "expires in n
minutes" will be "downgraded" to expires at end of session, which, as Mozilla is
now very reliable, could well be more than n minutes in the future. 

A better solution imo would be to process/expire such (downgraded) cookies as
normal but simply do not write them to the cookie file, so they that they are
unknown to subsequent sessions but do expire correctly.
Yes, you are correct in that cookies set to expire in the "very near future" 
will instead be "upgraded" to live for the entire session.  But that's much less 
serious than the current problem, so I suggest you open a separate bug report on 
it.  Reference this bug number in that report.
Comment on attachment 61887 [details] [diff] [review]
test for expired cookie before downgrading to session cookie

r=sgehani
Attachment #61887 - Flags: review+
Patch checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
*** Bug 116875 has been marked as a duplicate of this bug. ***
*** Bug 117635 has been marked as a duplicate of this bug. ***
*** Bug 119580 has been marked as a duplicate of this bug. ***
The fix in this bug perhaps applied to https://www.mybroker.co.uk, but 
did not apply to http://www.nytimes.com/ (see bug 119716). Since the three 
dups above were all for nytimes.com, I'm changing the URL for this bug to 
point to https://www.mybroker.co.uk, and leaving bug 119716 for the nytimes.com 
situation.
URL: http://www.nytimes.comhttps://www.mybroker.co.uk
*** Bug 122598 has been marked as a duplicate of this bug. ***
*** Bug 164236 has been marked as a duplicate of this bug. ***
V/fixed. Mac OS X, Mozilla 1.84a,
cookies in the past never appear in cookie manager.
Status: RESOLVED → VERIFIED
Whiteboard: checklinux, checkwin
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: