[Top 100] Fails to remain logged in while browsing the page on msn.com
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: ctanase, Assigned: timhuang)
References
(Blocks 1 open bug, )
Details
(Keywords: priv-webcompat)
Attachments
(5 files)
Nightly, network.cookie.cookieBehavior=5
Environment:
Operating system: Windows 10
Firefox version: Firefox Nightly 118.0a1 (2023-08-01)
Steps to reproduce:
- Go to https://www.msn.com
- Log into your account.
- Access the "SPORT" category.
- Click on any article.
- Check the account icon.
Expected Behaviour:
The account remains logged in after browsing the page.
Actual Behaviour:
The account is logged out while browsing the page.
Notes:
- Screen rec provided
- At first it reproduce only when opening new articles in a new tab, now it seems it reproduces regardless when browsing the page
- Reproducible regardless of the ETP status
- Not reproducible on Firefox Release and Chrome
- Issue found during WebCompat team [Top100] websites testing
|
||
Comment 1•1 year ago
•
|
||
Reproducible on mobile as well. Seems like a duplicate of : https://github.com/webcompat/web-bugs/issues/124586
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
•
|
||
Another way to test this (as described in the webcompat bug), after account login is performed, reload the page and the account icon will appear as you're not logged in.
It starts working as expected in Nightly if I change network.cookie.cookieBehavior to 4, so this is related to TCP.
The site injects an iframe to check whether a user is authenticated with this url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=..., which then redirects to
https://login.live.com/oauth20_authorize.srf?client_id=... , which
redirects to the url with an "error" hash https://www.msn.com/staticsb/statics/latest/auth/auth-redirect-blank.html?lc=1033#error=login_required&error_description=Silent+authentication+was+denied.+The+user+must+first+sign+in+and+if+needed+grant+the+client+application+access+to+the+scope+'User.Read+openid+profile+offline_access'.&state=... , which makes the auth check fail.
Looks like most of the required cookies are missing in the request to https://login.live.com, so it returns this error in response.
|
|
||
Comment 3•1 year ago
•
|
||
These are the cookies sent in Firefox release (or Nightly with network.cookie.cookieBehavior=4), where auth check is successful
|
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
This also happens when I log into Outlook Online. If I use either my username and password/authenticator or my Windows Hello, the credentials for Outlook Online are not retained upon a re-start of Firefox.
I'm currently at Firefox V117.0b9.
The same is true using Firefox Nightly.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
Reporter | |
Comment 8•11 months ago
|
||
The issue started to reproduce again on both Android and Windows.
Environment:
Operating system: Google Pixel 5 (Android 13) / OnePlus 6 A6000 (Android 11) / Windows 10
Firefox version: Nightly 121.0a1-20231102094447 / 121.0a1 (2023-11-02)
|
||
Comment 9•11 months ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 10•11 months ago
|
||
I cannot reproduce the issue on my MAC. Calin, would you be able to verify if this issue is reproducible on MAC?
|
|
Reporter | |
Comment 11•11 months ago
|
||
Doesn't seem to reproduce on my Mac as well. Still reproducible on Windows 10.
|
||
Comment 12•11 months ago
|
||
I think it would be easier to track if this bug remained closed since the shim landed on Firefox 119, and then another bug can be opened for the new failures we are seeing.
|
||
Comment 13•11 months ago
|
||
I still see intermittent log-offs with Nightly... 121.0a1 (2023-11-13) (64-bit).
There isn't a pattern that I can report that causes Nighly to dump the Microsoft login credentials. Some days the login sticks other days the login gets dumped and I have to log back into the service.
I'm also seeing this behaviour with Firefox 119.0.1 (64-bit).
Cheers.
|
|
Assignee | |
Comment 14•11 months ago
|
||
I tested it on Windows 10 with a fresh profile and could not reproduce the issue. Calin, would you be able to provide a captured video of the issue again?
|
|
Assignee | |
Comment 15•11 months ago
|
||
Lower the severity because we have deployed a shim for this and now it's a platform-dependent issue.
|
|
Reporter | |
Comment 16•11 months ago
|
||
Seems to work now on Windows 10 with the latest Nightly. However I'm still able to reproduce it on Android with both Standard and Strict ETP.
Browser / Version: Firefox Nightly 121.0a1-20231114093013 / Firefox Nightly 121.0a1 (2023-11-14)
Operating System: OnePlus 6 A6000 (Android 11) / Windows 10
|
|
Reporter | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 17•7 months ago
|
||
Please help with testing on Android. Thanks.
|
||
Comment 18•7 months ago
|
||
Working on it! Getting my android simulator setup, and I'll look into it within the week!
|
|
||
Comment 19•6 months ago
|
||
This came up in the meeting today. I'm setting the NI again to ensure it doesn't get lost.
|
|
||
Updated•6 months ago
|
|
|
||
Comment 20•6 months ago
|
||
Finally got my Android Emulator running, verified on Android 15 (VanillaIceCream) on Pixel 8.
Looks like turning ETP off works, so this remains to be an ETP issue (reproducible with ETP standard).
|
|
Assignee | |
Updated•5 months ago
|
Description
•