Closed Bug 293750 Opened 19 years ago Closed 19 years ago

Cookie-Set: Header is not honored

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: Nikolaus, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)

Opening the page should set the IMAIL_TEST_COOKIE. I got the following
line with ethereal:

Set-Cookie: IMAIL_TEST_COOKIE=test; expires=Thu, 12 May 2005 12:09:05 GMT;
path=/; domain=www.rath.org


However, the cookie is not set (checked as well with the cookie manager).

I've customized firefox to accept every cookie with no exceptions.

I also tried to purge my entire configuration in ~/.mozilla. After 
a fresh start, the cookie was set but after some days (I didn't change
anything) it stopped working again.

I can't reproduce the behaviour with the same browser version on
a different system. The failure only occurs on this system.

Reproducible: Sometimes

Steps to Reproduce:
After having ordered my thoughts for writing the bug report,
I just managed to narrow the problem down. Sorry for that.

The problematic URL is http://ebox.rath.org/iloha/ while 
http://www.rath.org/iloha/ works fine (This was machine used
a different bookmark than the other).

In both cases the cookie is set with domain=www.rath.org. If
the URI is ebox.rath.org, the cookie is than ignored.

However, I'm still not sure if that is correct behaviour. After
all, I instructed firefox to accept cookies from *all* websites
and not just the orginating one.
URL: http://www.rath.org/iloha/http://ebox.rath.org/iloha/
It would be a security hole if one website could set a cookie for another.  So
when you set the browser to accept all cookies, that really just means all
cookies that are legal according to the RFC (give or take, enforcing the RFC
requirements exactly would break too many websites)

Now then, domain=www.rath.org is invalid, you really mean domain=.www.rath.org
(and that is how the browser interprets it, with the leading dot).  But
domain=.rath.org would be more useful here, so that all rath.org servers could
read the cookie value.

Marking invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: General → Networking: Cookies
Product: Firefox → Core
Resolution: --- → INVALID
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.