Closed Bug 1243783 Opened 8 years ago Closed 8 years ago

CRITICAL cookies not persisting between page requests

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1244505

People

(Reporter: james.lewis, Unassigned)

Details

(Whiteboard: [regressed by bug 1233784]) 

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36

Steps to reproduce:

1. http://www.hotelchocolat.com/uk/shop/valentines-day-gifts
2. Click add to your bag
3. Visit basket http://www.hotelchocolat.com/uk/basket



Actual results:

Basket does not contain product


Expected results:

Basket should have contained product added to basket
The issue has started happening since version 44 of firefox has been released
This is affecting 10+ sites that we manage and suspect it is affecting many other websites on the internet
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4dfe96
e8f6026fb790b3db9c5666e9fda1e03b81&tochange=ca28125f2f0d36968e9fdffcccc5b817ee0e
a324

It's due to this security patch:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/

You have to probably change the name of some of cookies from server side according to the spec:
http://tools.ietf.org/html/rfc6265#section-4.1.1

Nicholas, your thoughts?
Flags: needinfo?(hurley)
Whiteboard: [regressed by bug 1233784]
Component: Untriaged → Networking: Cookies
Yeah, we aren't doing anything in that patch that at least some other browsers don't already do - some cookie names/values need to be changed. The ASCII values that are disallowed can be seen at https://hg.mozilla.org/mozilla-central/rev/ca28125f2f0d (look for illegalNameCharacters). There isn't any value in there that you should be using in a cookie name to begin with. I'm going to mark this as INVALID, please re-open if there's an actual bug around that patch (ie, some character is somehow being disallowed even if it should be allowed according to the spec).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(hurley)
Resolution: --- → INVALID
Please note Chrome and Internet Explorer do not have any issues with our cookies.

So it looks like that Firefox browser might not work with some sites but other browsers will
Yes, on second look, I may have been a bit hasty - more activity (including a potential fix) is over in bug 1244505. Let's take discussion over there.
Resolution: INVALID → DUPLICATE
You need to log in before you can comment on or make changes to this bug.