Path setting in the cookies does not seem be honored
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
People
(Reporter: felix, Assigned: edgul)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged][necko-priority-review])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Steps to reproduce:
I have a server that is setting a cookie (secure,httpOnly) for the path /api/auth/refresh, and I see this cookie being sent by firefox to the server at every request.
Expected results:
The cookie should be sent to the server only when the path /api/auth/refresh is accessed.
|
||
Comment 1•2 years ago
|
||
Moving this to Core > Networking: Cookies component to allow our engineers to examine it more closely. If this is not the right component, please move it to a more appropriate one. Thanks!
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Hi Felix, does Chrome have a different behaviour here?
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
Reporter | |
Comment 4•2 years ago
|
||
(In reply to Valentin Gosu [:valentin] (he/him) from comment #3)
Hi Felix, does Chrome have a different behaviour here?
Hi Valentin. Yes, I have done some more tests:
In linux:
- Firefox behaves as explained.
- Chrome behaves as expected.
On MacOS: - Both Firefox and Chrome behave as expected.
|
|
||
Comment 5•2 years ago
|
||
Thank you for looking into it Felix. I think this is something we'll aim to fix soon.
|
|
||
Comment 6•1 year ago
|
||
The check here should filter out other cookies, but for some reason it might not?
if (!CookieCommons::PathMatches(cookie, pathFromURI)) {
continue;
}
|
|
||
Updated•1 year ago
|
Sorry for the delay Felix. I ran the following php server to try to replicate the issue.
<?php
setcookie("somepath", "val", [
'expires' => time() + (86400 * 30), // 86400 = 1 day
'path' => '/some/path',
'secure' => true, // Change to true if you want the cookie to be sent only over secure HTTPS connections
'httponly' => true, // HttpOnly attribute
'samesite' => 'None' // Optional, for additional security
]);
setcookie("nopath", "val", [
'expires' => time() + (86400 * 30), // 86400 = 1 day
'path' => '/',
'secure' => true, // Change to true if you want the cookie to be sent only over secure HTTPS connections
'httponly' => true, // HttpOnly attribute
'samesite' => 'None' // Optional, for additional security
]);
?>
<!-- Serve me with `php -S localhost:8000` -->
<!DOCTYPE html>
Mostly empty content, this page sets cookies via http
And with both the current nightly (128) and an older version of fx 115 (though not the 117/118 you reported):
- the cookies were correctly set in the browser
- only the
nopathcookie is sent when I navigate tolocalhost:8000/. - While both cookies are sent when navigating to
localhost:8000/some/path.
Can you confirm that this issue is resolved for you on a recent version of firefox?
If it is not resolved can you provide additional details about your setup that causes the issue with a minimal set of instructions to replicate?
Thanks!
|
||
Comment 8•11 months ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:valentin, since the bug has recent activity, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Comment 9•11 months ago
|
||
Close this bug as INCOMPLETE, since the reporter is inactive.
Feel free to reopen. Thanks.
Description
•