Closed Bug 165685 Opened 22 years ago Closed 22 years ago

When switching from no cookiepath to using cookiepath, old cookie gets in the way

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.17
Platform:
x86
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 121419

People

(Reporter: bugreport, Assigned: justdave)

Details

Attachments

(1 obsolete file)

In experimenting with using cookiepath (yeah - I had been leaving it defaulted), it seems that the leftover cookie with path="/" from before I set the cookiepath would supercede the more specific cookie with the new cookiepath. (This occurs with Mozilla 1.0) As a result, as long as cookiepath remains set to something more specific than "/", users must log in again on every page. In any site where the cookiepath was set to "/" or where 2.14 was previosuly used, I expect that this would be an issue on each client machine. Probably the right thing to do, when cookiepath is enabled is to force the old cookies out with something like... print "Set-Cookie: Bugzilla_login= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT Set-Cookie: Bugzilla_logincookie= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT This is likely related to bug 121419, but the FQDN issue is moot because it is 2 URLs on the same server.
Yeah, I noticed this too. I thikn that this is a mozilla bug - rfc2109 says: "If multiple cookies satisfy the criteria above, they are ordered in the Cookie header such that those with more specific Path attributes precede those with less specific. Ordering with respect to other attributes (e.g., Domain) is unspecified."
Actually, this is a bz bug. The $::COOKIE stuff in CGI.pl needs to consider the most specific path attribute, ie the first one, not the last// CGI::Cookie claims that this is a netscape bug, but the specs agree that this behaviour is correct.
This patch just clears out the old default cookie if cookiepath is something more than "/" This should help sites that have http://myserver/thiszilla/ and http://myserver/thatzilla/, but we should do as bbaetz suggests otherwise sites that have http://myserver/thiszilla/ and http://myserver/thiszilla/thatzilla/ would not be fixed.
It appears from the CGI.pm docs that the browser may not even tell the server which of several matching cookies was hit. So, the proper fix may actually be to change cookiepath to cookiesuffix and change the name of the cookie instead of its path.
I think what our problem is would be that the browser is sending them in the order of: bugzilla.domain.org/bugzilla bugzilla.domain.org/ .domain.org/bugzilla .domain.org/ And when we assign them $::COOKIE (using our own code, not CGI.pm) we just keep clobbering the old value and $::COOKIE{Bugzilla_login} ends up being the one sent for .domain.org (the last, or least significant one). We need to either test all the cookies sent to us or modify the code so it picks the most significant cookie. The problem I see with the patch supplied here is that if I have: /bz123 /bz456 /bz789 /bz147 /bz258 /bz369 (such as on landfill) on only /bz147 uses a seperate database, then I could set the cookie path all the other installs to be / and they'd share one login and set /bz147 to be "/bz147" and if the code behaved properly it'd use it's own login and everybody would be happy :), with this patch, logging in at /bz147 would clobber the login for all the other installs (I know that's what the pre-cookiepath behavior was, but improvment is good, esp. for landfill testing :)
Jake is correct, and that makes this a dupe of 121419 *** This bug has been marked as a duplicate of 121419 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Attachment #97314 - Attachment is obsolete: true
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: