Closed Bug 1938299 Opened 1 year ago Closed 10 months ago

store.steampowered.com / steamcommunity.com - Does not appear as logged in when accessing profile

Categories

(Web Compatibility :: Site Reports, defect, P2)

Product:
Web Compatibility
Component:
Site Reports
Version:
Firefox 135
Platform:
ARM
Windows 10
Type:
defect

Tracking

(Webcompat Priority:P2, Webcompat Score:7, firefox133 wontfix, firefox134 wontfix, firefox135 wontfix, firefox138 fixed)

Status:
VERIFIED FIXED
Milestone:
138 Branch
Project Flags:
Webcompat Priority P2
Webcompat Score 7
Tracking Flags:
Tracking Status
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- wontfix
firefox138 --- fixed

People

(Reporter: ctanase, Assigned: wwen)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: webcompat:site-report, Whiteboard: [webcompat:sightline])

User Story

platform:windows,mac,linux,android
impact:annoyance
configuration:general
affects:all
branch:release
diagnosis-team:networking

Attachments

(3 files)

steam FF vs Chrome.mp4
1.05 MB, video/mp4
Details
STR on clean Chrome.mp4
2.88 MB, video/mp4
Details
Bug 1938299 - Allow steam sites to access cookies on other steam sites. r=#anti-tracking-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached video steam FF vs Chrome.mp4

Environment:
Operating system: Windows 10
Firefox version: Nightly 135.0a1 (2024-12-18)

Preconditions:
• Must be logged in
• Clean profile

Steps to reproduce:

  1. Go to https://store.steampowered.com
  2. Click on your account avatar.
  3. Observe the header.

Expected Behavior:
Account is logged in.

Actual Behavior:
Account does not appear as being logged in.

Notes:

  1. Screen rec attached
  2. Reproducible regardless of the ETP status
  3. Reproducible on Firefox Release as well
  4. Not reproducible on Chrome
  5. Issue found during WebCompat team [Top100] websites testing

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox134: --- → affected
Whiteboard: [webcompat:sightline]

The severity field is not set for this bug.
:denschub, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(dschubert)

This sounds like it could be related to some cookie portioning magic or something?

Severity: -- → S3
User Story: (updated)
Flags: needinfo?(dschubert)
Keywords: webcompat:needs-diagnosis, webcompat:site-report
Priority: -- → P2

Hi Calin,

As far as I can tell the problem is that the login occurs on https://store.steampowered.com/ while the profile is hosted on https://steamcommunity.com/id/[userid]

If I also login to steamcommunity.com the problem no longer reproduces.
And I'm seeing the exact same thing in Chrome.

Would you mind checking again? (after clearing Chrome's cookies too?)
Thanks!

Flags: needinfo?(ctanase)

The issue is that if you log in on store.steampowered.com and try to access the profile you won't appear as logged in on steamcommunity.com . I do not reproduce this issue on Chrome. On Firefox I have to log in on steamcommunity.com as well.

I've tested on the latest Nightly (136.0a1 - 2025-01-07) and on Chrome 131.0.6778.265 both with clean profiles, the behavior is the same as in the attached screen rec.

Flags: needinfo?(ctanase)

Basically on Firefox you have to log in separately if you want to be logged in on both store.steampowered.com and steamcommunity.com . On Chrome it is enough to log in just on one of them to appear logged in on both sites.

I'm still not able to reproduce the Chrome behaviour.
Could you maybe create a screen rec with the full chrome steps that shows no cookies for steamcommunity.com ?

Thanks!

Flags: needinfo?(ctanase)
Attached video STR on clean Chrome.mp4
Flags: needinfo?(ctanase)

I just tested with Chrome on a different machine (mac) and was able to get it to login to both machines there.

I think the difference between different chrome instances is caused by third-party-cookie phase-out experiments.

From what I can tell, after the user logs into store.steampowered.com the site will then do a few POST XHRs to

https://store.steampowered.com/login/settoken
https://steamcommunity.com/login/settoken
https://help.steampowered.com/login/settoken
https://checkout.steampowered.com/login/settoken
https://steam.tv/login/settoken

Each of these POST requests respond with a Set-Cookie which sets the steamLoginSecure and steamCountry cookies.

In Firefox and Safari these cookies are partitioned by the top-level-principal. Meaning these cookies are really only accessible on store.steampowered.com.
When navigating to steamcommunity.com these cookies are not visible to the website.

If I disable enhanced-tracking-protection on both store.steampowered.com and steamcommunity.com (before logging in), then comment 0 doesn't reproduce, and I am able to automatically login to both of them.
Calin, can you confirm?

Flags: needinfo?(ctanase)

It does not reproduce if ETP is disabled before login on both store.steampowered.com and steamcommunity.com.

Tested on Windows 10 with the latest Nightly (136.0a1 - 2025-01-20).

Flags: needinfo?(ctanase)
Webcompat Priority: --- → P2
Flags: needinfo?(wwen)
Assignee: nobody → wwen
Status: NEW → ASSIGNED
Flags: needinfo?(wwen)
Webcompat Score: --- → 7
Blocks: dfpi-breakage
No longer depends on: dfpi-breakage
Pushed by twisniewski@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d852b7a93025 Allow steam sites to access cookies on other steam sites. r=anti-tracking-reviewers,webcompat-reviewers,timhuang,twisniewski

https://hg.mozilla.org/mozilla-central/rev/d852b7a93025

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch

Verified, works as expected.

Tested with:

Browser / Version: Firefox 137.0-candidate build 1
Operating System: Windows 10
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: