Session data sent to a wrong port.

RESOLVED DUPLICATE of bug 189784

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 189784
13 years ago
12 years ago

People

(Reporter: v h, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Session data from port 80 was sent to port 8080 (cookies, etc.)

Reproducible: Always

Steps to Reproduce:
1. I have a page that needs login (using cookies), it sits under port 80
2. Use the web browser (Firefox), I open the page and login
3. Not closing the FireFox, I start up a TCPMon (the one from Apache Axis) and
listen to port 8080, and forward them to port 80
4. Use FireFox, I open the page again (http://localhost:8080).  I was surprised
that I was allowed to come in.  So I reason, my cookies for port 80 must have
been sent to port 8080.

This is a bug unless something to do with the way I get the session.  In servlet
filter, I call: sess = request.getSession(true);
which would generate the session key and store them in the cookies.
Cookies are agnostic about port, they use host and path
(http://www.faqs.org/rfcs/rfc2109.html)

The proposed "Cookie2" spec (http://www.faqs.org/rfcs/rfc2965.html) addressed
this by adding an optional PORT list that would restrict a cookie to only that
port or ports. In the absense of a port specifier cookies are still available to
all ports for backward compatibility (but Cookie2 never really caught on).
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
> (but Cookie2 never really caught on).

Opera supports it... (Authors won't use Cookie2 until it is widely implemented.)
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

*** This bug has been marked as a duplicate of 189784 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.