Cookie-Set: Header is not honored

RESOLVED INVALID

Status

()

RESOLVED INVALID
14 years ago
14 years ago

People

(Reporter: Nikolaus, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)

Opening the page should set the IMAIL_TEST_COOKIE. I got the following
line with ethereal:

Set-Cookie: IMAIL_TEST_COOKIE=test; expires=Thu, 12 May 2005 12:09:05 GMT;
path=/; domain=www.rath.org


However, the cookie is not set (checked as well with the cookie manager).

I've customized firefox to accept every cookie with no exceptions.

I also tried to purge my entire configuration in ~/.mozilla. After 
a fresh start, the cookie was set but after some days (I didn't change
anything) it stopped working again.

I can't reproduce the behaviour with the same browser version on
a different system. The failure only occurs on this system.

Reproducible: Sometimes

Steps to Reproduce:
(Reporter)

Comment 1

14 years ago
After having ordered my thoughts for writing the bug report,
I just managed to narrow the problem down. Sorry for that.

The problematic URL is http://ebox.rath.org/iloha/ while 
http://www.rath.org/iloha/ works fine (This was machine used
a different bookmark than the other).

In both cases the cookie is set with domain=www.rath.org. If
the URI is ebox.rath.org, the cookie is than ignored.

However, I'm still not sure if that is correct behaviour. After
all, I instructed firefox to accept cookies from *all* websites
and not just the orginating one. 

Comment 2

14 years ago
It would be a security hole if one website could set a cookie for another.  So
when you set the browser to accept all cookies, that really just means all
cookies that are legal according to the RFC (give or take, enforcing the RFC
requirements exactly would break too many websites)

Now then, domain=www.rath.org is invalid, you really mean domain=.www.rath.org
(and that is how the browser interprets it, with the leading dot).  But
domain=.rath.org would be more useful here, so that all rath.org servers could
read the cookie value.

Marking invalid.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Component: General → Networking: Cookies
Product: Firefox → Core
Resolution: --- → INVALID
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.