Closed
Bug 295396
Opened 19 years ago
Closed 18 years ago
Session data sent to a wrong port.
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 189784
People
(Reporter: st946tbf, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Session data from port 80 was sent to port 8080 (cookies, etc.) Reproducible: Always Steps to Reproduce: 1. I have a page that needs login (using cookies), it sits under port 80 2. Use the web browser (Firefox), I open the page and login 3. Not closing the FireFox, I start up a TCPMon (the one from Apache Axis) and listen to port 8080, and forward them to port 80 4. Use FireFox, I open the page again (http://localhost:8080). I was surprised that I was allowed to come in. So I reason, my cookies for port 80 must have been sent to port 8080. This is a bug unless something to do with the way I get the session. In servlet filter, I call: sess = request.getSession(true); which would generate the session key and store them in the cookies.
Comment 1•19 years ago
|
||
Cookies are agnostic about port, they use host and path (http://www.faqs.org/rfcs/rfc2109.html) The proposed "Cookie2" spec (http://www.faqs.org/rfcs/rfc2965.html) addressed this by adding an optional PORT list that would restrict a cookie to only that port or ports. In the absense of a port specifier cookies are still available to all ports for backward compatibility (but Cookie2 never really caught on).
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Comment 2•19 years ago
|
||
> (but Cookie2 never really caught on).
Opera supports it... (Authors won't use Cookie2 until it is widely implemented.)
Updated•18 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 3•18 years ago
|
||
*** This bug has been marked as a duplicate of 189784 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago → 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•