Closed
Bug 151903
Opened 22 years ago
Closed 17 years ago
firefox accepts host-only cookies; IE treats them as domain
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
RESOLVED
WONTFIX
mozilla1.4beta
People
(Reporter: mrye, Assigned: dwitte)
References
()
Details
Attachments
(1 file)
53.07 KB,
text/plain
|
Details |
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530
BuildID: 2002053012
At the submitted URL, I log into the site with my user ID and password. If I
leave the site to go view another page on the web somewhere and then go back to
www.amiga.org, Mozilla doesn't remember that I've already logged into the site.
It wants me to enter my ID and password to the site again. This does not
happen with IE 5.5 and IE 6. Those browsers remember that I have already logged
in, even if I close all of their windows.
Reproducible: Always
Steps to Reproduce:
1. Go to http://www.amiga.org
2. Enter user ID and password.
3. Go to http://www.yahoo.com (or anywhere else)
4. Go to http://www.amiga.org and Mozilla expects me to enter my ID and password
again.
Actual Results: Mozilla expects me to enter my user ID and password into the
web site when I should not need to because I've already logged in previously.
Expected Results: The user ID and password entry boxes and login button should
not appear on the page.
Comment 1•22 years ago
|
||
Which cookie settings do you use ?
-> cookies
Assignee: Matti → morse
Component: Browser-General → Cookies
QA Contact: imajes-qa → tever
Reporter | ||
Comment 2•22 years ago
|
||
Matti@epost.de asked what Cookie settings I am using....
I usually use "Enable All Cookies". The problem happens on that setting.
I also tried "Enable cookies for the originating web site only" and the
problem happens with that setting, too.
--
Michael
perhaps this is an evangelism problem... more investigation is needed.
reporter: are you still able to reproduce this problem using a recent trunk
build? thx!
Reporter | ||
Comment 4•22 years ago
|
||
Yes, it is reproducible in version 1.3a of Mozilla.
--
Michael
OS: Windows 2000 → Windows XP
Comment 5•22 years ago
|
||
I got a complaint from a user that hotmail said that they needed cookies on. I
tested it with cookies on and got the same problem. This is with 1.3 final, not
a problem with 1.2.1 final.
Comment 6•22 years ago
|
||
dwitte: check out the last comment.
Assignee | ||
Comment 7•22 years ago
|
||
Michael, John: is it possible for you each to generate cookie logs for the
problems you're seeing? instructions for windows can be found at
http://bugzilla.mozilla.org/show_bug.cgi?id=193951#c1.
also, if it's convenient, it'd be great if you could test 1.4a, we've had a lot
of cookie changes go in recently. thanks!
Reporter | ||
Comment 8•22 years ago
|
||
This is the cookie log from my testing for this problem again with Mozilla 1.4a
this time. Yes, the problem still happens and it reproducible.
Assignee | ||
Comment 9•22 years ago
|
||
hmm, this one was fun to debug... looks like evang to me.
so if you visit "www.amiga.org", and log in, a cookie is set from the host
"amiga.org". (note that this is a host cookie, not a domain cookie - so it will
be sent only back to amiga.org, and not to www.amiga.org.) the site then
redirects to amiga.org, which sees these cookies.
the problem is, if you now "revisit" the site by typing in "www.amiga.org",
these host cookies are not sent, so it doesn't know about your previous login.
however, if you revisit the site using "amiga.org" instead, it works fine.
i tested this on 1.2.1, 1.3 and a slightly-pre-1.4a trunk (20030328). same
behavior. IE works, though i'm really not sure why. this would imply it's
treating host cookies as domain cookies, which really is an evil thing. i'll
have to test this aspect further.
reporter: can you confirm my diagnosis, by using "amiga.org" instead of
"www.amiga.org" when you revisit the site?
if i'm correct, this is evang. suggested workarounds (either one of which will
fix the problem):
1) amiga.org should set its cookies as domain cookies, so they get sent to
www.amiga.org.
2) visiting www.amiga.org should immediately redirect to amiga.org. this will
also fix password manager, which will be slightly broken with option 1) -
logging in at www.amiga.org and amiga.org will be treated as separate password
manager entires, which isn't really necessary. note that this problem should
never be seen if the user always visits one site consistently (e.g. bookmarked
www.amiga.org).
Assignee: morse → dwitte
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 10•22 years ago
|
||
Michael Rye here.....
Quoted from Dan Witte:
"reporter: can you confirm my diagnosis, by using "amiga.org" instead of
"www.amiga.org" when you revisit the site?"
Confirmed. When I leave and revisit the site with www.amiga.org, the problem
happens. Upon revisiting the site with just "amiga.org", the problem does
_not_ happen and Mozilla treats the visit like I've already logged in (like it
is supposed to).
Assignee | ||
Comment 11•22 years ago
|
||
great; thanks. so now i've got to sit down and figure out why IE doesn't do this. ;)
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4beta
Reporter | ||
Comment 12•22 years ago
|
||
If you ask me, sounds like IE is broken, not Mozilla. Heh Heh. :-)
Comment 13•22 years ago
|
||
This is from wayne@amiga.org (Webmaster):
"This is not a Mozilla bug specifically. It's a lack of a feature
that most other browsers work correctly with. This is the fact that you're
mixing and matching http://www.amiga.org and http://amiga.org when visiting
the site. The server knows who it is, but somewhere between the browser and
the server the session parameters are being dropped when a visitor goes to
"www" and flips to "amiga.org". To get around this, don't go to "www"."
Assignee | ||
Comment 14•22 years ago
|
||
thanks for getting that info from the webmaster!
darin: that explanation doesn't really make sense to me. do you have an opinion
on this? ;)
Comment 15•21 years ago
|
||
some sites weren't built from the ground up w/ cookies in mind, so they don't
get dns, the hostname, and all the base URL's correct.
We could dig into the specfiics, but it sounds like a site problem to me.
QA Contact: tever → cookieqa
Assignee | ||
Comment 16•21 years ago
|
||
yeah, but i'd like to keep this open for now, because we need to investigate
_why_ IE works in this situation. it's low priority but it needs to be done. (if
you have the inclination to test IE, do let me know ;)
Comment 17•21 years ago
|
||
Probably IE has some www.amiga.com == amiga.com logic.
If darin thinks this is important, I can invest some time in studying IE behavior.
Summary: Mozilla doesn't remember that I've logged into my site account → www.amiga.org and amiga.org cookie interchangability
Comment 18•21 years ago
|
||
i'm sure amiga.org is not the only site impacted by this. if IE silently just
works, then chances are we'll hit this elsewhere. let's try to figure out what
IE is doing, and if it seems reasonable maybe we should do the same.
Comment 19•20 years ago
|
||
Could it be that this bug is solved?
1 I went to www.amiga.org and registered
2 I went to www.amiga.org and logged in with my new login.
3 I went to www.destandaard.be and read some news pages
4 I went back to www.amiga.org and was still logged on.
tested with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a4)
Gecko/20040927, Windows XP
Assignee | ||
Comment 20•17 years ago
|
||
it's not solved on our end, amiga has fixed their site, that's all.
ftr IE has no concept of host-only cookies, it treats everything as domain. i'm loathe to change our behavior in that regard because i think host cookies are useful.
changing summary to reflect the underlying issue, and -> wontfix for now. please comment if you have any useful information to argue for changing our behavior to match IE's.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Summary: www.amiga.org and amiga.org cookie interchangability → firefox accepts host-only cookies; IE treats them as domain
You need to log in
before you can comment on or make changes to this bug.
Description
•