284417 - firefox uses previously deleted cookie when reloading http 401 page

Status: RESOLVED WORKSFORME

(Firefox :: General, defect)

Description

[oliver]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.6) Gecko/20050223 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.6) Gecko/20050223 Firefox/1.0.1

when closing session on the server and sending an http-status 401 response to
the client. firefox didn't clean acces data and the session-cookie.

in mozilla and ie, you have to login again, thats the behavior thats wanted.

firefox uses the old session-cookie to restore the access information.

Reproducible: Always

Steps to Reproduce:
1. delete cookie manually in firefox
2. call page, the basic auth. login-window is comming up
3. cancel the login-window
4. the 401 answer is shown
5. reload page in firefox, i'm in the webapplication without login

Actual Results:  
everyone who is entering the pc click reload can login to the webapplication,
which is handlig sessions with cookie. may be all php servers a so easy to hack.

Expected Results:  
after a getting the 401 response i ecpected that teh browser offers me a new
login in screen, as mozilla and ie does.

firefox didnt do so, it didnt delete the old cookies

Comment 1

[Daniel Veditz [:dveditz]]

Cookies and http 401 responses have nothing to do with each other. What site was
this happening on? It's not something I can reproduce on a few typical HTTP-auth
sites I tried, and if cookies are involved then there's some cookie cleaning
code on that particular server.

Both networking and cookies are core features shared by both Mozilla and
Firefox, there should be no difference there. Are you comparing to an older
Mozilla version? If so the specific version might give us a clue to what might
have changed between the two.

Comment 2

[Jesse Ruderman]

WFM based on Dan's comment and lack of response from the reporter.  Please
reopen if you can give a URL where this happens.