- Shopping basket forgotten when going to from http to https



Tech Evangelism Graveyard
English US
15 years ago
3 years ago


(Reporter: Heikki Toivonen (remove -bugzilla when emailing directly), Unassigned)




When you are trying to checkout with your purchases from this site, it always
thinks your shopping cart is empty. I suspect this is because Mozilla does not
send the cookies in this situation: selecting products is done in unsecure mode,
and checkout takes you to an SSL URL.

I am not sure if this is our bug or an evangelism issue or what, but this seems
to happen with latest trunk builds as well as with NS 7.0. I seem to remember
there was some talk about this issue recently, but I can't seem to find it.
Works fine with latest IE. The funny thing is that the site otherwise seems to
work better with Mozilla (some images won't display with IE).

To reproduce:

1. Go to URL (
2. Select some product (for example, follow these links: STABLE -> Turnouts &
Hoods -> WeatherBeeta TAKA 1600TS Regular Neck Sheet) and hit "Add to cart" button.
3. From resulting shopping basket summary page hit "Secure Checkout" button.
NOTE: Up till now you have been on unsecure pages, and this button should take
you to an SSL URL.

Expected results: a page where you fill in credit card info etc.

Actual results: a page that says your cart is empty.

Comment 1

15 years ago
Reporter, have you selected 'enable cookies for the originating sitre only' ?
My settings make it use the medium P3P settings which should not reject any
cookies. I just tested with "enable all cookies" and I still see this bug.

Comment 3

15 years ago
Here's some info.  Not the full answer yet, but I'm still investigating.

This fails with N4 as well.  Problem appears to be that Heikki started by going
to (with non www) and the cookies are then set as host
cookies for  Then when you go to check out, the site sends
you to  So the host cookies that were set for the host do not get sent to this secure host.

In N4, if I start by going to, everything works
fine.  So at first I thought that I had found the cause of the problem, and it
was one of evangelism (there's a similar problem if you start at
instead of  But apparently that's not the whole problem
because, upon investigating further, I observed the following:

- If I start from in mozilla, the problem still occurs.

- If I start from, there is no problem.

So I'm still investigating.

Comment 4

15 years ago
Correction: I was wrong above when I said that there is still a problem when
starting from in mozilla.  After I fixed a bug in
my local tree (bug was not checked in), this worked fine in mozilla.  So the
problem is indeed a site problem and not a browser one.  The site should take
you to if you started from,
and then the cookies from the non-secure server will correctly be sent to the
secure one.

The only thing that I still can't explain is why this works on IE.  Still

Comment 5

15 years ago
OK, I understand the problem.  Microsoft is playing fast and loose with the
definition of domain matching.  That is, if a cookie is set for host B, they are
sending those cookies to host A.B.  This is in violation of the cookie spec

To demonstrate this, go to, and set a cookie by using a
javascript URL.  You do that by typing the following into the URL bar


Then go to and read the cookies using a javascript URL:


Note that mycookie will be readable at this time.  (If you set a cookie when at, you will not be able to read it when at

It's because of this violation of the cookie spec that the shopping cart works
with IE if you start from

So what do we do about this?  I'd really love to see this fixed by evangelism. 
Someone needs to inform that they have the wrong expectations
of seeing the cookies on their secure severe with the www if those cookies were
initially set on their unsecure sever without the www.

The other alternative is for us to change our cookie code and violate the cookie
spec in the same manner that Microsoft is doing.  I'm against doing that.  We
are supposed to be generating a better browser because ours is
standards-compliant whereas the microsoft browser it not.

Incidentally, regarding the problem that I mentioned above, I see
that google has become aware of the problem and has solved it.  Now when you go
to, you automatically get redirected to

Reassigning to evangelism to see if we can get statelinetack to see the error of
their ways.
Assignee: morse → nitot
Component: Cookies → African
Product: Browser → Tech Evangelism
QA Contact: tever → momoi
Version: Trunk → unspecified
Thanks for the quick diagnosis, Steve! I agree I'd rather see this fixed on the

I think State Line Tack is an American company, though, so changing components.
Assignee: nitot → aruner
Component: African → US Ecommerce
QA Contact: momoi → bclary
Summary: Shopping basket forgotten when going to from http to https → [] Shopping basket forgotten when going to from http to https


15 years ago
Summary: [] Shopping basket forgotten when going to from http to https → - Shopping basket forgotten when going to from http to https

Comment 7

15 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b; MultiZilla v1.1.33 (b))
wfm as far as i erased all cookies before proceeding. if not the cart is empty too.
--> general cookie problem?
reporter: what version are you using?

Comment 8

15 years ago
BTW the test Stephen proposes fails. the alert box is empty for me.
please check depandancies (Evangelism.Ecommerce and browser.cookies)
bug 170396 and other microsoft cookies issues

Comment 9

15 years ago
tech evang june 2003 reorg
Assignee: aruner → english-us
Component: US Ecommerce → English US
QA Contact: bc → english-us

Comment 10

7 years ago
INCOMPLETE due to lack of activity since the end of 2009.

If someone is willing to investigate the issues raised in this bug to determine whether they still exist, *and* work with the site in question to fix any existing issues, please feel free to re-open and assign to yourself.

Sorry for the bugspam; filter on "NO MORE PRE-2010 TE BUGS" to remove.
Last Resolved: 7 years ago
Resolution: --- → INCOMPLETE
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.