Closed Bug 151903 Opened 22 years ago Closed 17 years ago

firefox accepts host-only cookies; IE treats them as domain

Categories

(Core :: Networking: Cookies, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
mozilla1.4beta

People

(Reporter: mrye, Assigned: dwitte)

References

()

Details

Attachments

(1 file)

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530 BuildID: 2002053012 At the submitted URL, I log into the site with my user ID and password. If I leave the site to go view another page on the web somewhere and then go back to www.amiga.org, Mozilla doesn't remember that I've already logged into the site. It wants me to enter my ID and password to the site again. This does not happen with IE 5.5 and IE 6. Those browsers remember that I have already logged in, even if I close all of their windows. Reproducible: Always Steps to Reproduce: 1. Go to http://www.amiga.org 2. Enter user ID and password. 3. Go to http://www.yahoo.com (or anywhere else) 4. Go to http://www.amiga.org and Mozilla expects me to enter my ID and password again. Actual Results: Mozilla expects me to enter my user ID and password into the web site when I should not need to because I've already logged in previously. Expected Results: The user ID and password entry boxes and login button should not appear on the page.
Which cookie settings do you use ? -> cookies
Assignee: Matti → morse
Component: Browser-General → Cookies
QA Contact: imajes-qa → tever
Matti@epost.de asked what Cookie settings I am using.... I usually use "Enable All Cookies". The problem happens on that setting. I also tried "Enable cookies for the originating web site only" and the problem happens with that setting, too. -- Michael
perhaps this is an evangelism problem... more investigation is needed. reporter: are you still able to reproduce this problem using a recent trunk build? thx!
Yes, it is reproducible in version 1.3a of Mozilla. -- Michael
OS: Windows 2000 → Windows XP
I got a complaint from a user that hotmail said that they needed cookies on. I tested it with cookies on and got the same problem. This is with 1.3 final, not a problem with 1.2.1 final.
dwitte: check out the last comment.
Michael, John: is it possible for you each to generate cookie logs for the problems you're seeing? instructions for windows can be found at http://bugzilla.mozilla.org/show_bug.cgi?id=193951#c1. also, if it's convenient, it'd be great if you could test 1.4a, we've had a lot of cookie changes go in recently. thanks!
This is the cookie log from my testing for this problem again with Mozilla 1.4a this time. Yes, the problem still happens and it reproducible.
hmm, this one was fun to debug... looks like evang to me. so if you visit "www.amiga.org", and log in, a cookie is set from the host "amiga.org". (note that this is a host cookie, not a domain cookie - so it will be sent only back to amiga.org, and not to www.amiga.org.) the site then redirects to amiga.org, which sees these cookies. the problem is, if you now "revisit" the site by typing in "www.amiga.org", these host cookies are not sent, so it doesn't know about your previous login. however, if you revisit the site using "amiga.org" instead, it works fine. i tested this on 1.2.1, 1.3 and a slightly-pre-1.4a trunk (20030328). same behavior. IE works, though i'm really not sure why. this would imply it's treating host cookies as domain cookies, which really is an evil thing. i'll have to test this aspect further. reporter: can you confirm my diagnosis, by using "amiga.org" instead of "www.amiga.org" when you revisit the site? if i'm correct, this is evang. suggested workarounds (either one of which will fix the problem): 1) amiga.org should set its cookies as domain cookies, so they get sent to www.amiga.org. 2) visiting www.amiga.org should immediately redirect to amiga.org. this will also fix password manager, which will be slightly broken with option 1) - logging in at www.amiga.org and amiga.org will be treated as separate password manager entires, which isn't really necessary. note that this problem should never be seen if the user always visits one site consistently (e.g. bookmarked www.amiga.org).
Assignee: morse → dwitte
Status: UNCONFIRMED → NEW
Ever confirmed: true
Michael Rye here..... Quoted from Dan Witte: "reporter: can you confirm my diagnosis, by using "amiga.org" instead of "www.amiga.org" when you revisit the site?" Confirmed. When I leave and revisit the site with www.amiga.org, the problem happens. Upon revisiting the site with just "amiga.org", the problem does _not_ happen and Mozilla treats the visit like I've already logged in (like it is supposed to).
great; thanks. so now i've got to sit down and figure out why IE doesn't do this. ;)
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4beta
If you ask me, sounds like IE is broken, not Mozilla. Heh Heh. :-)
This is from wayne@amiga.org (Webmaster): "This is not a Mozilla bug specifically. It's a lack of a feature that most other browsers work correctly with. This is the fact that you're mixing and matching http://www.amiga.org and http://amiga.org when visiting the site. The server knows who it is, but somewhere between the browser and the server the session parameters are being dropped when a visitor goes to "www" and flips to "amiga.org". To get around this, don't go to "www"."
thanks for getting that info from the webmaster! darin: that explanation doesn't really make sense to me. do you have an opinion on this? ;)
some sites weren't built from the ground up w/ cookies in mind, so they don't get dns, the hostname, and all the base URL's correct. We could dig into the specfiics, but it sounds like a site problem to me.
QA Contact: tever → cookieqa
yeah, but i'd like to keep this open for now, because we need to investigate _why_ IE works in this situation. it's low priority but it needs to be done. (if you have the inclination to test IE, do let me know ;)
Probably IE has some www.amiga.com == amiga.com logic. If darin thinks this is important, I can invest some time in studying IE behavior.
Summary: Mozilla doesn't remember that I've logged into my site account → www.amiga.org and amiga.org cookie interchangability
i'm sure amiga.org is not the only site impacted by this. if IE silently just works, then chances are we'll hit this elsewhere. let's try to figure out what IE is doing, and if it seems reasonable maybe we should do the same.
Could it be that this bug is solved? 1 I went to www.amiga.org and registered 2 I went to www.amiga.org and logged in with my new login. 3 I went to www.destandaard.be and read some news pages 4 I went back to www.amiga.org and was still logged on. tested with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a4) Gecko/20040927, Windows XP
it's not solved on our end, amiga has fixed their site, that's all. ftr IE has no concept of host-only cookies, it treats everything as domain. i'm loathe to change our behavior in that regard because i think host cookies are useful. changing summary to reflect the underlying issue, and -> wontfix for now. please comment if you have any useful information to argue for changing our behavior to match IE's.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Summary: www.amiga.org and amiga.org cookie interchangability → firefox accepts host-only cookies; IE treats them as domain
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: