Closed Bug 165685 Opened 22 years ago Closed 22 years ago

When switching from no cookiepath to using cookiepath, old cookie gets in the way

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.17
Platform:
x86
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 121419

People

(Reporter: bugreport, Assigned: justdave)

Details

Attachments

(1 obsolete file) 

In experimenting with using cookiepath (yeah - I had been leaving it defaulted),
it seems that the leftover cookie with path="/" from before I set the cookiepath
would supercede the more specific cookie with the new cookiepath.  (This occurs
with Mozilla 1.0)  As a result, as long as cookiepath remains set to something
more specific than "/", users must log in again on every page.

In any site where the cookiepath was set to "/" or where 2.14 was previosuly
used, I expect that this would be an issue on each client machine.

Probably the right thing to do, when cookiepath is enabled is to force the old
cookies out with something like...

print "Set-Cookie: Bugzilla_login= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT
Set-Cookie: Bugzilla_logincookie= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT

This is likely related to bug 121419, but the FQDN issue is moot because it is 2
URLs on the same server.
Yeah, I noticed this too. I thikn that this is a mozilla bug - rfc2109 says:

"If multiple cookies satisfy the criteria above, they are ordered in the Cookie
header such that those with more specific Path attributes precede those with
less specific. Ordering with respect to other attributes (e.g., Domain) is
unspecified."
Actually, this is a bz bug. The $::COOKIE stuff in CGI.pl needs to consider the
most specific path attribute, ie the first one, not the last//

CGI::Cookie claims that this is a netscape bug, but the specs agree that this
behaviour is correct.
This patch just clears out the old default cookie if cookiepath is something
more than "/"

 This should help sites that have   http://myserver/thiszilla/	 and
http://myserver/thatzilla/, but we should do as bbaetz suggests otherwise sites
that have http://myserver/thiszilla/ and http://myserver/thiszilla/thatzilla/
would not be fixed.
It appears from the CGI.pm docs that the browser may not even tell the server
which of several matching cookies was hit.

So, the proper fix may actually be to change cookiepath to cookiesuffix and
change the name of the cookie instead of its path.


I think what our problem is would be that the browser is sending them in the
order of:
bugzilla.domain.org/bugzilla
bugzilla.domain.org/
.domain.org/bugzilla
.domain.org/

And when we assign them $::COOKIE (using our own code, not CGI.pm) we just keep
clobbering the old value and $::COOKIE{Bugzilla_login} ends up being the one
sent for .domain.org (the last, or least significant one).  We need to either
test all the cookies sent to us or modify the code so it picks the most
significant cookie.

The problem I see with the patch supplied here is that if I have:
/bz123
/bz456
/bz789
/bz147
/bz258
/bz369
(such as on landfill) on only /bz147 uses a seperate database, then I could set
the cookie path all the other installs to be / and they'd share one login and
set /bz147 to be "/bz147" and if the code behaved properly it'd use it's own
login and everybody would be happy :), with this patch, logging in at /bz147
would clobber the login for all the other installs (I know that's what the
pre-cookiepath behavior was, but improvment is good, esp. for landfill testing :)

Jake is correct, and that makes this a dupe of 121419


*** This bug has been marked as a duplicate of 121419 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Attachment #97314 - Attachment is obsolete: true
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: