Cache re-validation request includes duplicated cookies
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | fixed |
| firefox140 | --- | wontfix |
| firefox141 | + | wontfix |
| firefox142 | + | wontfix |
| firefox143 | --- | fixed |
People
(Reporter: azasypkin, Assigned: smayya)
References
(Regression, )
Details
(Keywords: enterprise, regression, Whiteboard: [necko-triaged])
Attachments
(2 files)
|
7.02 MB,
application/zip
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr140+
|
Details | Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0
Steps to reproduce:
Our web application (Kibana) relies on cookie-based authentication. Certain user activity causes the application to send XHR requests to various server endpoints, and if the session is still valid, it's being extended and the cookie is updated. The response includes a Set-Cookie header with the updated cookie.
We also have some endpoints that leverage HTTP cache (large and expensive to generate responses) with max-age and stale-while-revalidate directives. As a result, responses for such endpoints include both cookie and cache-related headers that look like this: "Set-Cookie": "sid=xxxx; HttpOnly" and "Cache-Control": "private, max-age=5, stale-while-revalidate=31535995".
Since recently (new FF release?), we started receiving complaints about unexpected logouts. After debugging, we figured out that for some reason, Firefox started sending duplicated identical cookies to the endpoints that both refresh the cookie and use HTTP cache. We don't see this behavior in older Firefox versions (MacOS, 137.0.1) or any other browsers. I can reproduce this on the latest Nightly as well (MacOS, 140.0a1 (2025-05-07) (aarch64)). It does feel like a bug to me.
In the attachment, you can find an archive with a simple Node.js HTTP server (once run with node index.js the server will be available at http://localhost:3000/) and a demo video that demonstrate the problem.
It probably can be considered a security-related bug, but I'm not sure, so feel free to make it private.
Actual results:
Firefox sends 2 identical cookies with cache re-validation request.
Expected results:
Firefox shouldn't send duplicated cookies.
| Reporter | ||
Updated•1 year ago
|
Comment 1•1 year ago
|
||
Could you try to use mozregression to help us figure out the regression range?
Thanks.
Comment 2•1 year ago
|
||
Ran mozregression with the our scenario in kibana.
Pushlog URL generated by mozregression: https://hg-edge.mozilla.org/mozilla-central/pushloghtml?fromchange=d4371465982dfa17147909c585a516b7389e0751&tochange=4bbc39703afd169d2a2ff8f052faf2a95bd5f46d
Last known good build: 137
First known bad build: 138
| Reporter | ||
Updated•1 year ago
|
| Reporter | ||
Comment 3•1 year ago
|
||
@kershaw, I had a chance to run mozgregression on the mozilla-central/autoland earlier today to further narrow the range:
And the tool points to this commit, which indeed sounds relevant: https://phabricator.services.mozilla.com/D239726 and https://bugzilla.mozilla.org/show_bug.cgi?id=1893842 (Bug 1893842 - background validation requests should include headers from original requests. r=necko-reviewers,valentin).
Tagging the author to confirm/deny the guess.
| Reporter | ||
Updated•1 year ago
|
| Assignee | ||
Comment 4•1 year ago
|
||
This is indeed a regression from 1893842
| Assignee | ||
Updated•1 year ago
|
| Reporter | ||
Comment 5•1 year ago
|
||
Hey @edgul, I see the bug was triaged as P2 - can you please give us a sense of when (approx.) or what Firefox version the fix will be available in? Unfortunately, we have quite a few Firefox users using older versions of our product (Kibana) that they cannot upgrade to get the temporary workaround from us and will have to wait until the fix is released in Firefox.
Until then, we have to ask them to either switch to a different browser or fully disable Firefox cache (via browser.cache.disk.enable: false and browser.cache.memory.enable) since the product is basically unusable (users are logged out) due to how we handle invalid cookie headers. If there is no way you can address the regression in the current release cycle, do you have any less brutal workarounds we can recommend our users?
I'll defer to Sunil, who is currently assigned to the bug
| Reporter | ||
Comment 7•1 year ago
|
||
I'll defer to Sunil, who is currently assigned to the bug
Hey @smayya,
Any chance you can help with https://bugzilla.mozilla.org/show_bug.cgi?id=1965056#c5?
Thanks!
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 8•1 year ago
|
||
Hello Oleg,
Sorry for the delay.
I havent fixed it, will start working on it in the next two weeks.
The fix will be available in version 141/142 version.
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 9•1 year ago
|
||
Oleg, please check if the workaround mentioned in this comment -> https://bugzilla.mozilla.org/show_bug.cgi?id=1967522#c2, helps you.
| Reporter | ||
Comment 11•1 year ago
|
||
Oleg, please check if the workaround mentioned in this comment -> https://bugzilla.mozilla.org/show_bug.cgi?id=1967522#c2, helps you.
Thanks for the link. Using a custom browser extension as a workaround might work for some people, but would be quite complicated for the general public. It sounds like we'll have to wait for the proper fix. Until then, we added a workaround for this Firefox behavior in our product (https://github.com/elastic/kibana/pull/220430) that would at least help those who can upgrade.
Comment 12•1 year ago
|
||
(In reply to Sunil Mayya from comment #4)
This is indeed a regression from 1893842
If it's a regression, that needs tracking for regression triage
Comment 13•1 year ago
|
||
This is a confirmed bug, setting as NEW.
It breaks Kibana, an Elastic Search product frequently deployed in corporate settings, adding the enterprise keyword.
Not a macOS bug but affects all platforms.
Tracking for our affected branches as we already have a dupe and there are also several issues filed about it on the Kibana repo.
Updated•1 year ago
|
Comment 14•1 year ago
|
||
(In reply to Sunil Mayya from comment #8)
Hello Oleg,
Sorry for the delay.
I havent fixed it, will start working on it in the next two weeks.
The fix will be available in version 141/142 version.
Sunil, we are in our last week of the 141 beta cycle, do you have an update on this bug? Thanks
Updated•1 year ago
|
Comment 15•1 year ago
|
||
The bug is marked as tracked for firefox141 (beta) and tracked for firefox142 (nightly). However, the bug still has low severity.
:ghess, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
| Assignee | ||
Comment 16•1 year ago
•
|
||
(In reply to Pascal Chevrel:pascalc from comment #14)
(In reply to Sunil Mayya from comment #8)
Hello Oleg,
Sorry for the delay.
I havent fixed it, will start working on it in the next two weeks.
The fix will be available in version 141/142 version.Sunil, we are in our last week of the 141 beta cycle, do you have an update on this bug? Thanks
The fix isn’t ready yet, and I don’t think we’ll be able to complete it this week. I’ll prioritize it and aim to wrap it up by the end of next week.
| Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Comment 17•11 months ago
|
||
Set release status flags based on info from the regressing bug 1893842
Updated•11 months ago
|
| Assignee | ||
Comment 18•11 months ago
|
||
Comment 19•11 months ago
|
||
Comment 20•11 months ago
|
||
| bugherder | ||
Comment 21•11 months ago
|
||
The patch landed in nightly and beta is affected.
:smayya, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox142towontfix.
For more information, please visit BugBot documentation.
| Assignee | ||
Comment 22•10 months ago
|
||
Hello Oleg,
This has been fixed. Feel free to test this in latest nightly to confirm and remove the workaround.
Pleaser let us know if you have more issues?
Updated•10 months ago
|
Updated•10 months ago
|
| Reporter | ||
Comment 23•10 months ago
|
||
I can confirm it works properly in the current Nightly (144.0a1, 2025-08-19) for me. Thanks for the fix, Sunil!
Comment 24•10 months ago
|
||
Please nominate this for ESR140 uplift when you get a chance.
| Assignee | ||
Comment 25•10 months ago
|
||
Comment on attachment 9505689 [details]
Bug 1965056 - for stale revalidating channel do not copy cookies. r=#necko
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This effects enterprise networks as it breaks kibana.
- User impact if declined: Authentication will break
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It modifies code path of cache revalidation with cookies. Hence, the impact scope is relatively small.
Comment 26•10 months ago
|
||
Comment on attachment 9505689 [details]
Bug 1965056 - for stale revalidating channel do not copy cookies. r=#necko
Approved for 140.3esr.
Updated•10 months ago
|
Comment 27•10 months ago
|
||
| uplift | ||
Description
•