295396 - Session data sent to a wrong port.

Status: RESOLVED DUPLICATE of bug 189784

(Firefox :: Security, defect)

Description

[v h]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Session data from port 80 was sent to port 8080 (cookies, etc.)

Reproducible: Always

Steps to Reproduce:
1. I have a page that needs login (using cookies), it sits under port 80
2. Use the web browser (Firefox), I open the page and login
3. Not closing the FireFox, I start up a TCPMon (the one from Apache Axis) and
listen to port 8080, and forward them to port 80
4. Use FireFox, I open the page again (http://localhost:8080).  I was surprised
that I was allowed to come in.  So I reason, my cookies for port 80 must have
been sent to port 8080.

This is a bug unless something to do with the way I get the session.  In servlet
filter, I call: sess = request.getSession(true);
which would generate the session key and store them in the cookies.

Comment 1

[Daniel Veditz [:dveditz]]

Cookies are agnostic about port, they use host and path
(http://www.faqs.org/rfcs/rfc2109.html)

The proposed "Cookie2" spec (http://www.faqs.org/rfcs/rfc2965.html) addressed
this by adding an optional PORT list that would restrict a cookie to only that
port or ports. In the absense of a port specifier cookies are still available to
all ports for backward compatibility (but Cookie2 never really caught on).

Comment 2

[Hixie (not reading bugmail)]

> (but Cookie2 never really caught on).

Opera supports it... (Authors won't use Cookie2 until it is widely implemented.)

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

*** This bug has been marked as a duplicate of 189784 ***