Closed Bug 304365 Opened 20 years ago Closed 20 years ago

Cookie does not expire when set if expiration date has already passed

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bondsbw, Assigned: darin.moz)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Whenever the server sets a cookie in the past, Firefox still allows the cookie to be set. I noticed this issue when a development server reset its date and time to the year 2003 (bad CMOS battery). A page set the cookie to that date plus one year, so the cookie expiration was Jan 3, 2004 (confirmed by looking at the Set-Cookie response header). Firefox should not have allowed this cookie to be set with a past expiration date. This was checked and confirmed on Aug 10, 2005. I assume this is not proper behavior, as some other browsers do not allow a cookie to be set with a past expiration date. Reproducible: Didn't try Steps to Reproduce: 1. Have a website set a cookie in the past. 2. Open Firefox, browse to that website. Actual Results: The cookie was set. Expected Results: The cookie should not have been set. The server producing the page response is running ASP.NET 1.1. The "ASP.NET_SessionId" cookie was set at the same time as the cookie mentioned above. Another (forms authentication) cookie was previously set. None of the cookies were secure. All of the cookies had a "/" path. The two non-problem cookies expired at the end of the session. The forms authentication cookie was set with only the sub-domain (e.g. instead of "mysite.myhost.com", it was set to ".myhost.com").
Assignee: nobody → darin
Component: General → Networking: Cookies
Product: Firefox → Core
QA Contact: general → networking.cookies
Summary: Cookie does not expire when set if expiration date has already passed → Cookie does not expire when set if expiration date has already passed
Version: unspecified → 1.7 Branch
how did you check that the cookie was set? especially, did it get sent back to the server?
(In reply to comment #1) > how did you check that the cookie was set? especially, did it get sent back to > the server? I experienced a similar problem -- and have another way to reproduce it -- if you change your local machine date (put it in the year 2010), and try to access any external service that sets a cookie with a correct time and date, you'll receive the cookie and act normally. I am using the developer toolbar's response header information to view that the cookie is set correctly (expires=Mon, 18 Aug 2008 17:01:02), and it persists (and is used by the server, since it's a auth-id cookie) across the pages. Does Firefox uses the date and time from elsewhere (other than the local machine) to check the validity of a cookie? Cheers, Guilherme Capilé
The server time is used somewhere in the process, so you should test with a cookie that really expired. Just setting your local clock to some time in the future might give weird results.
When setting the cookie, the difference between the server time and the local time is taken into account. When the server sends a cookie with an expiry date in the futere, compared to it's own time, the cookie will be accepted. The local time doesn't matter here. So if your clock, or that of the server, is wrong at the time of setting the cookie, the cookie will be set anyway. http://lxr.mozilla.org/seamonkey/source/netwerk/cookie/src/nsCookieService.cpp#1875 This makes this bug invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.