Closed Bug 164260 Opened 22 years ago Closed 22 years ago

online.lloydstsb.co.uk - Lloyds TSB - lloydstsb.com - login information is not retained

Categories

(Tech Evangelism Graveyard :: English Other, defect, P2)

x86
All
defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: graeme.coates, Assigned: tristan)

References

()

Details

(Keywords: regression, Whiteboard: [havecontact])

Attachments

(3 files)

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1b) Gecko/20020721 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1b) Gecko/2002082304 After logging into the banking system at https://online.lloydstsb.co.uk/customer.ibc, and then attempting to navigate inside the banking system (eg by selecting an account from the account list), the page changes back to the login screen, despite showing the correct URL in the address bar for the link clicked. Same behaviour would occur if the session timed out - perhaps session handling is not working correctly. Problem is apparent with build 2002082304 but does not occur with 1.1b from download page (2002072104). Bug may require a valid banking log on to reproduce. Reproducible: Always Steps to Reproduce: 1.Log on to https://online.lloydstsb.co.uk/customer.ibc 2.Select a link on the first page (eg account in list). 3.Navigation will return to logon screen despite correct URL showing. Actual Results: Navigation returned to login screen. Expected Results: Navigated to correct page within banking system. N/a
Sound like cookie or session problem. They are used by the server side languages. If the user turned off the cookie or restrict the cookie then this is where the banking can't keep track of the user and moved the user to the login page. It's the bank way of keeping hte unauthorize user from fiddling around.
Change this bug to "Tech Envangelism"??
Cookies are all turned on - and not sure why it should be OK with an older 1.1b build, and then fall over with a recent 1.1b nightly build...hmm.
*** Bug 168291 has been marked as a duplicate of this bug. ***
Duped bug topic was "When choosing banking account, you get bounced back to login screen. 1.1 works correctly" and it was set to PSM Client Library Confirming.
Assignee: asa → ssaux
Status: UNCONFIRMED → NEW
Component: Browser-General → Client Library
Ever confirmed: true
Product: Browser → PSM
QA Contact: asa → junruh
Version: other → unspecified
Adding regression keyword as this used to work fine in 1.1b, I see the problem in BuildID 2002090708 on Win2KSP2, from duped bug affects Windows ME too.
Keywords: regression
Tested on BuildID 2002083005 on Linux (RH7.3), also fails, setting OS to All This doesn't just happen on 1.2a, tested against BuildIDs 2002083108, 2002082008 and 2002080508 on Win2KSP2. It works fine on BuildID 2002080508 but fails on the other two, so something that landed between 2002080508 and 2002082008 has caused this regression.
OS: Windows 98 → All
Keywords: nsbeta1
I don't think this is crypto related, so PSM is not the right component. Kai take a look and reassign to the component tha makes most sense?
Assignee: ssaux → kaie
Severity: major → normal
Priority: -- → P2
Target Milestone: --- → 2.4
Making a wild guess, what could be the cause of the problem, and transfering this bug to => browser, cookies This bug needs investigation. A banking site does no longer work. We don't know yet what the cause is. But at least it should not be crypto/https/SSL, since general connectivity/page loading seems to be working.
Component: Client Library → Cookies
Product: PSM → Browser
Target Milestone: 2.4 → ---
Version: unspecified → other
*** Bug 171719 has been marked as a duplicate of this bug. ***
*** Bug 172206 has been marked as a duplicate of this bug. ***
Ok, had a bit of a play with the cookie manager (and this cookie log thing from bug 171507). Not cookie's are being rejected or not sent. What is happening is the following. Early in the login process Lloyds sets a cookie called ibcsession=0 once you have logged in you are given another cookie with a valid ibcsession (a very long string of numbers). It also sets another cookie: ShutdownRequested=No Then as you try to navigate around it asks for the cookies back. My guess is for some reason the order that the cookies as sent back in has changed, now it sends oldest first: ibcsession=0; ibcsession=000etc; ShutdownRequested=no. And the Lloyds site sees session=0 and thinks we don't have a valid session. Presumably it used to send the ibcsession=<valid string> first (but I can't tell as the older builds don't have cookie logging). Anyhow here is a simple work around! All you need to do is delete the ibcsession=0 cookie once you are logged in then navigating around the site works fine. Hopefully this will help with a fix?
Jon, thanks for the analysis. So I'm reassigning this to the browser-cooky owners. So what happening is: - you received: key=value - then you received: key=AnotherValue And you end up with both cookies being stored. I would have naively assumed, only one cooky for each key must be stored at any time. When you receive AnotherValue, shouldn't that replace/overwrite the earlier cooky?
Assignee: kaie → morse
QA Contact: junruh → tever
Yes the cookie name for both of them is ibcsession. I think it is not overwritting because the Host field in the cookie manager says: online.lloydstsb.co.uk for the ibcsession=0 cookie but the field changes to domain and reads .online.lloydtsb.co.uk for the second cookie. We've always kept both cookies. Looking at the range of dates in comment #7, surprisingly little happened in relation to the cookies, I've had a brief glance at the patches checked in but can't see anything related. I'm wildly guessing that this is related to bug 155114 which I don't have access to but was related to a security flaw involving cookies.
This was reported back in August and several changes have been made and subseqently backed out recently. Especially regarding handling of the path attribute. Try it again and let me know if it is still a problem. If so, attach the cookie log to the bug report. You can generate a log by doing: set NSPR_LOG_MODULES=cookie:3 -- shows rejected cookies set NSPR_LOG_MODULES=cookie:4 -- shows accepted and rejected cookies set NSPR_LOG_FILE=c:\cookie.log Use both 3 and 4 (two separate runs of course) and attach both logs.
Stephen, It is still a problem in the latest nightly builds. As I said in comment #12 I have run with your cookie logging and none are rejected or not sent. I'm loathe to attach the report here as the cookie values include my user-name as part of the string. If you still think it will be useful after my description of the situation I'll post a censored version of the log? I'm a bit confused about when you think this bug occurred, we know (comment #7) that it worked with nightly builds upto 5th Sept and we know it didn't work on the 23rd September so I don't think we need worry about checkins in August?!?
The bug was reported on August 23, so I'm presuming that it wasn't working on that date. Yes, I still would like to see the cookie log, just to verify that what you said is true. You can truncate the cookie values since the specific value is of no relevance, except to indicate when the value has actually changed or that it differs from another cookie having the same name.
Cookie Log with NSPR_LOG_MODULES = cookie:4 set while navigating around the LloydsTSB websie
Excuse my last comment Stephen, we know the problem occurred between the 5th and 23rd of August not of September (too early in the morning here ;). I've attached a log, of what happened when I loaded mozilla, logged into the site, clicked on a link then re-entered my username and password when prompted. If I use cookie:3 as the log module I get a blank file.
Problems that I see in the cookie log: 1. Secure attribute ===== COOKIE ACCEPTED ===== request URL: https://online.lloydstsb.co.uk/customer.ibc cookie string: ibcsession=<censored value>; domain=online.lloydstsb.co.uk; path=/;secure=yes; current time (gmt): Fri Oct 11 09:57:09 2002 ---------------- name: ibcsession value: <censored value> domain: .online.lloydstsb.co.uk path: / expires (gmt): at end of session is secure: false Note that the set-cookie header had "secure=yes" but the cookie got stored without the secure attribute. That means that the cookie will be sent out on future requests to non https sites which is against the instructions of the site when the cookie was set. I believe that the problem here might be that are parsing is being thrown off by the "=yes" part which is syntactically incorrect for the "secure" attribute according to the cookie spec. That requires more investigation. However I don't think this has anything to do with the current problem. 2. Sending duplicate cookies ===== COOKIE SENT ===== request URL: https://online.lloydstsb.co.uk/scripts/scripts1.css cookie string: ibcsession=0; ibcsession=<censored value> current time (gmt): Fri Oct 11 09:57:09 2002 This is perfectly correct since the two cookies differ in both their domain attributes which makes them distinct cookies. The rule is that cookies be sent back with longest path first. In this case both cookies have the path attribute of "/", so the ordering of the cookies is is undefined. It should be noted that only one of the set-cookie headers specified a path (of "/") and the other did not have a path attribute. By default we assigned the latter a path attribute of "/". That might be the problem. That is, at one time we might not have been forcing a "/" if the attribute was missing but rather using a blank path. In that case the cookie ordering would be such that this missing-path cookie would always be sent out last. I don't know if this is the problem or not, but it certainly is worthy of further investigation.
I just filed bug report 174104 on the "secure=" problem noted in comment 20. But that couldn't have any bearing on the current symptoms.
*** Bug 174117 has been marked as a duplicate of this bug. ***
Blocks: 173939
Blocks: 165095
*** Bug 174958 has been marked as a duplicate of this bug. ***
This one's pretty serious since it involves a major bank and we are starting to get dups on it. I'll argue that it's really an evangelism issue. Site is intentionally setting two cookies with the same name, and then getting confused when we send them back not in the order that they expect. And our ordering is correct since one cookie was set without a path name (which meand "/" path by default) and the other with an explicit path name of "/". (The spec requires that the ordering be by inverse path length.) Reassiging to evangelism.
Component: Cookies → Europe: West
Product: Browser → Tech Evangelism
Version: other → unspecified
Really reassigning this time.
Assignee: morse → nitot
QA Contact: tever → brantgurganus2001
For the Evangelists: Contact adresses/numbers for Lloyds-Tsb Online banking are at http://www.lloydstsb.com/contacts/0,1006,general,00.html (you don't need to log in or have an account for this). You can email them (takes you to a webform). They do list requirements as "Netscape Navigator 4.06 and above or Internet Explorer 4 and above", and indicate that my "Netscape 5" passes the needed requirements, so hopefully they may be willing to change the behaviour of their cookies.
*** Bug 175034 has been marked as a duplicate of this bug. ***
No longer blocks: 173939
From my reading of the spec, Mozilla is a fault rather than the bank. Can I just make very explicit what the problem is here (I will use the cookie spec http://wp.netscape.com/newsref/std/cookie_spec.html being unable to find a proper RFC and assuming (possibly wrongly) that Netscape's stuck) On first connect, the bank sends a cookie with Name: ibcsession Info: 0 Host: online.lloydstsb.co.uk Path: and after a sucessfull login form completion Name: ibcsession Info: <long string of numbers> Domain: .online.lloydstsb.co.uk Path: / We can see that there are two differences in what ought to be (and as the bank assumes to be interpreted as) the same cookie. 1) The hostname becomes a domain by the insertion of a '.' at the front. According to the spec, on this point, both cookies can not be distinguished since all that is required is that (in the '.uk' case) there is a 'tail match' of the last three terms. *This is the case* 2) The inital path name is blank and the subsiquent path names are '/'. According to the spec a blank path name is reinterpreted as being the same as the path of the document fetched with the cookie. In this case that path is '/'. *As such the two paths match.* Since according to this application of the Cookie Specifications the cookies identifiers match, Mozilla should overwrite the new one with the old one. Therefore (since I can't) please reassign to [Browser:Cookies]
Browser:Cookies
Assignee: nitot → morse
Component: Europe: West → Cookies
Product: Tech Evangelism → Browser
QA Contact: brantgurganus2001 → tever
Version: unspecified → other
Given: - the number of dupes. - the fact that it affects a major online bank. - it has been outstanding for some time after being incorrectly marked as the banks fault. is there any way of increasing the priority of this in order to get a quick fix? I've seen similar cookie related weirdness with Yahoo groups and Sourceforge downloads which I suspect are related to this problem of incorrect setting/returning of cookies.
I will send an email message to Mozilla drivers now, asking them to thing about this bug. Steve, what's your opinion on comment 28?
comment 28 is confused about the difference between a host cookie and a domain cookie. In fact the following from comment 28 is misleading > On first connect, the bank sends a cookie with > > Name: ibcsession > Info: 0 > Host: online.lloydstsb.co.uk > Path: What the bank actually sent was a cookie header of the form set-cookie: ibcsession=0 and nothing more. There was no mention of a host since indeed there is no such thing as a host attribute in a set-cookie header. Instead, by default, if no domain attribute is specified, then the cookie is taken to be a host cookie which means it will be sent back only to the exact host that set the cookie. It will not be sent back to any other hosts in a domain ending with the host name. In the second instance the bank sent a cookie header of the form set-cookie: ibcsession=<censored value>; domain=online.lloydstsb.co.uk; path=/;secure=yes; That's a domain cookie. It is syntactically incorrect since a domain is supposed to start with a dot (see the spec) but the cookie code is forgiving and silently inserts the dot. This cookie wil then get sent back to every host which tail-matches .online.lloydstsb.co.uk. For example it will send it to host xxx.online.lloydstsb.co.uk. It will also send it to the host that is simply .online.lloydstsb.co.uk, treating that as a special case. So you can see, these are two different cookies. One is a host cookie that gets sent back only to the one host. The other is a domain cookie that gets sent back to all hosts in the domain. As far as the paths differing, that is not a problem. In the first case there was no path specified in the set-cookie header, so in that case the cookie module uses the path of "/" by default. In the second case the set-cookie header explicitly specified the path of "/". So the two are treated identically by the cookie module. Had there not been the discrepency of the host/domain part, the cookie module would have recognized these as being the same cookie in spite of this path difference. I stand by my original conclusion -- this is not a problem with our cookie code but is a site issue that needs to be handled be evangelism. Reassiging back to evangelism.
Assignee: morse → nitot
Component: Cookies → Europe: West
Product: Browser → Tech Evangelism
QA Contact: tever → brantgurganus2001
Version: other → unspecified
> I've seen similar cookie related weirdness with Yahoo groups and Sourceforge > downloads which I suspect are related to this problem of incorrect > setting/returning of cookies. If you've seen other problems with other sites, then please report them as separate bugs so that they can get investigated. Do not assume that they are related to this bug, because this one is very specific and has to do with the site setting the same cookie twice -- once with a domain attribute and once without it.
Updating summary line to explicitly mention Lloyds Bank so that it can be found by doing a query
Summary: Login information is not retained when attempting to navigate within banking system. → Login information is not retained for Lloyds Bank
Ok, Steven, I agree. I have found RFC2109 ( http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html ) -- for the purposes of Evangelism, is this (or some other) the agreed specification of cookies and by what authority?
I have no idea what authority agrees on the specification. But, yes, this is the agreed-upon spec. However, in the case of cookies, its impossible to implement the exact spec because it breaks too many websites. So instead we try to implement as much of it as possible and back off only in extreme cases. This is not an extreme case -- it involves only one website and so should be evangelized. A case in which we have had to back off was in not letting sites set cookies for paths in which they were not on. The spec clearly prohibits that. But when I implemented it, too many important websites broke.
Ok, so I sent Lloyds. It's very polite.
Comment on attachment 105454 [details] evangelism letter sent to Lloyds As a long and happy user of the Lloyds (then LloydsTSB) online banking system I write concerning a problem with the system’s implementation of cookies, in particular how it sets the cookie ‘ibcsession’. My investigation of the problem identifies the site’s failure to follow RFC2109 causes an incompatibility with Mozilla browser versions 1.2 upwards. As I am sure you are aware, the Netscape browser is a branded version of the Mozilla browser and, as such, making it highly likely that forthcoming releases of the Netscape browser will also suffer the same incompatibility. May I first point out the problem and then make very explicit why it is a problem. When a browser first connects to https://online.lloydstsb.co.uk/customer.ibc the following cookie is sent from the site request URL: https://online.lloydstsb.co.uk/customer.ibc cookie string: ibcsession=0; The problem is that no domain attribute has been set and that the string should have been: cookie string: ibcsession=0; domain=.online.lloydstsb.co.uk; I will now provide a detailed analysis. The parameters: domain, path, secure etc are not specified in the cookie string above and RFC2109:4.3.1 describes how to fill these parameters with default values: name: ibcsession value: 0 request-host: online.lloydstsb.co.uk path: / expires (gmt): at end of session is secure: false The most important (and the source of the error in implementation according to RFC2109) is that there is no ‘domain’ attribute and as such a “request-host” is set (4.3.1) – this will be fully explained below. After the user fills in their User ID and Password the following cookie is sent to the browser from the site request URL: https://online.lloydstsb.co.uk/customer.ibc cookie string: ibcsession=<censored value>; domain=online.lloydstsb.co.uk; path=/;secure=yes; which according to RFC2109 should be interpreted as name: ibcsession value: <censored value> domain: .online.lloydstsb.co.uk path: / expires (gmt): at end of session is secure: false There are several problems with the cookie string as can be seen by this interpretation. The most obvious (which is not the cause of the incompatibility) is that the ‘secure’ attribute is not set – this is because RFC2109:4.2.2 specifies that the ‘secure’ attribute in the cookie string should be specified “with no value”. The second problem (also not a cause of an incompatibility with Mozilla but a possible problem for the future) is that according to RFC2109:4.2.2 when specifying the domain attribute “an explicitly specified domain must always start with a dot.” otherwise according to 4.3.1 the cookie should actually be rejected (although Mozilla like many browsers ignores this requirement). When the user next clicks upon a link (to service their account) they find that they have been returned to the initial login page *rather than the account information page they expected*. This is because Mozilla returns this cookie string to the LloydsTSB site: cookie string: ibcsession=0; ibcsession=<censored value> The source of the incompatibility is clear, Mozilla sends two values of ‘ibcsession’ and the site, expecting only one, sees the first and returns the login page since ‘ibcsession=0’. Mozilla returns two values because according to RFC2019:4.3.1 when *no* domain attribute is set then the browser should “… defaults to the request-host . (Note that there is no dot at the beginning of request-host.)” When a domain is supplied then the domain attribute is set to the supplied string where (4.2.2) “An explicitly specified domain must always start with a dot.”. As such the two cookies are seen as *different* so *the second does not update the first* and according to RFC2109:4.3.4 *both* shall be returned by the browser (though the order they are to be returned in is a little unclear (4.3.4) “Ordering with respect to other attributes (e.g., Domain) is unspecified.”) I write to request that LloydsTSB make the small change to the code that I have identified at the top of this letter and look forward to hearing your thoughts upon this incompatibility. Best regards, Dr. Emmet Spier.
Comment on attachment 105454 [details] evangelism letter sent to Lloyds As a long and happy user of the Lloyds (then LloydsTSB) online banking system I write concerning a problem with the system’s implementation of cookies, in particular how it sets the cookie ‘ibcsession’. My investigation of the problem identifies the site’s failure to follow RFC2109 causes an incompatibility with Mozilla browser versions 1.2 upwards. As I am sure you are aware, the Netscape browser is a branded version of the Mozilla browser and, as such, making it highly likely that forthcoming releases of the Netscape browser will also suffer the same incompatibility. May I first point out the problem and then make very explicit why it is a problem. When a browser first connects to https://online.lloydstsb.co.uk/customer.ibc the following cookie is sent from the site request URL: https://online.lloydstsb.co.uk/customer.ibc cookie string: ibcsession=0; The problem is that no domain attribute has been set and that the string should have been: cookie string: ibcsession=0; domain=.online.lloydstsb.co.uk; I will now provide a detailed analysis. The parameters: domain, path, secure etc are not specified in the cookie string above and RFC2109:4.3.1 describes how to fill these parameters with default values: name: ibcsession value: 0 request-host: online.lloydstsb.co.uk path: / expires (gmt): at end of session is secure: false The most important (and the source of the error in implementation according to RFC2109) is that there is no ‘domain’ attribute and as such a “request-host” is set (4.3.1) – this will be fully explained below. After the user fills in their User ID and Password the following cookie is sent to the browser from the site request URL: https://online.lloydstsb.co.uk/customer.ibc cookie string: ibcsession=<censored value>; domain=online.lloydstsb.co.uk; path=/;secure=yes; which according to RFC2109 should be interpreted as name: ibcsession value: <censored value> domain: .online.lloydstsb.co.uk path: / expires (gmt): at end of session is secure: false There are several problems with the cookie string as can be seen by this interpretation. The most obvious (which is not the cause of the incompatibility) is that the ‘secure’ attribute is not set – this is because RFC2109:4.2.2 specifies that the ‘secure’ attribute in the cookie string should be specified “with no value”. The second problem (also not a cause of an incompatibility with Mozilla but a possible problem for the future) is that according to RFC2109:4.2.2 when specifying the domain attribute “an explicitly specified domain must always start with a dot.” otherwise according to 4.3.1 the cookie should actually be rejected (although Mozilla like many browsers ignores this requirement). When the user next clicks upon a link (to service their account) they find that they have been returned to the initial login page *rather than the account information page they expected*. This is because Mozilla returns this cookie string to the LloydsTSB site: cookie string: ibcsession=0; ibcsession=<censored value> The source of the incompatibility is clear, Mozilla sends two values of ‘ibcsession’ and the site, expecting only one, sees the first and returns the login page since ‘ibcsession=0’. Mozilla returns two values because according to RFC2019:4.3.1 when *no* domain attribute is set then the browser should “… defaults to the request-host . (Note that there is no dot at the beginning of request-host.)” When a domain is supplied then the domain attribute is set to the supplied string where (4.2.2) “An explicitly specified domain must always start with a dot.”. As such the two cookies are seen as *different* so *the second does not update the first* and according to RFC2109:4.3.4 *both* shall be returned by the browser (though the order they are to be returned in is a little unclear (4.3.4) “Ordering with respect to other attributes (e.g., Domain) is unspecified.”) I write to request that LloydsTSB make the small change to the code that I have identified at the top of this letter and look forward to hearing your thoughts upon this incompatibility. Best regards, Dr. Emmet Spier.
I have received the following email from Lloyds, looking up but not till next year. =========================================================================== Further to your email. Thank you for bringing this to our attention. Your email has been passed on to our Internet banking IT team who have investigated the issue relating to the Mozilla browser that you raised in your mail. As a result, an enhancement request has been raised which will be implemented in the first quarter of 2003. If you have any further queries, please do not hesitate to contact us again at online@lloydstsb.co.uk Regards Margo Agnew Lloyds TSB Online _________________
*** Bug 182214 has been marked as a duplicate of this bug. ***
*** Bug 183070 has been marked as a duplicate of this bug. ***
*** Bug 183325 has been marked as a duplicate of this bug. ***
*** Bug 184991 has been marked as a duplicate of this bug. ***
*** Bug 186119 has been marked as a duplicate of this bug. ***
I asked LloydsTSB to educate their telephone help desk...
Can the summary be updated so this bug can be found by people searching on Lloyds TSB or lloydstsb.com? That's why I didn't find it originally and instead contributed to a different bug...
Summary: Login information is not retained for Lloyds Bank → online.lloydstsb.co.uk - login information is not retained
Whiteboard: [havecontact]
Lloyds TSB and lloydstsb.com added to the summary.
Summary: online.lloydstsb.co.uk - login information is not retained → online.lloydstsb.co.uk - Lloyds TSB - lloydstsb.com - login information is not retained
*** Bug 186501 has been marked as a duplicate of this bug. ***
Further comments from Lloyds: "I have just received a mail from our Internet banking IT team, informing me that they have successfully applied the fix you suggested to the Mozilla browser issue you raised in November , and that it will be implemented on the live site in mid-February 2003. "They have asked me to pass on their thanks to you for your detailed analysis, which has saved them a considerable amount of time. "Best wishes for Christmas and the new year." and likewise from me.
Setting milestone per comment.
Target Milestone: --- → Mar
*** Bug 190935 has been marked as a duplicate of this bug. ***
This seems to have been fixed. It works for me, anyway, and the cookie log looks better; though I did download a new nightly yesterday, so it's possible something else has changed.
Agreed, works for me in 1.2.1.
This has definately been fixed, I am using mozilla 1.3a, on monday the problem was still there, today I can login and cookies are OK. Could the owner or someone with permission please mark this as resolved.
Yep, works here to with the same old build that used to choke. Marking fixed
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verifying due to abundance of comments.
Status: RESOLVED → VERIFIED
tech evang june 2003 reorg
Component: Europe: West → English Other
Target Milestone: Mar → ---
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: