Closed Bug 315699 Opened 14 years ago Closed 2 years ago

login cookie race condition when opening multiple bookmarks into tabs

Categories

(Firefox :: Bookmarks & History, defect, major)

defect
Not set
major

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: n1ck.h0w1tt+bugzilla, Unassigned)

References

()

Details

(Keywords: regression)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051105 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051105 Firefox/1.5

When I open a bookmark folder with more than one mozillazine bookmark, often, only the first tab appears to be logged in. The second and subsequent tabs generally do not get logged in.

This issue only became apparent to me when the mozillazine forum had a software upgrade last week.

There is a thread on this at http://forums.mozillazine.org/viewtopic.php?t=337531

Reproducible: Sometimes

Steps to Reproduce:
Virgin profile - only changed connection settings.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051105 Firefox/1.5 ID:2005110503
1700MHz P4

1 - Opened Mozillazine tab, logged in, bookmarked it.
2 - Opened Ff builds forum tab, bookmarked it
3 - Opened Extensions forum tab, bookmarked it.
4 - Created Bookmarks folder "Test" and moved above bookmarks into it.
cookies: phpbb2mysql_sid (session only), phpbb2mysql_data (expires 09 Nov 2006)
5 - Restart Ff
6 - Only phpbbsmysql_data cookie exists.
7 - Middle click on "Test" bookmark folder
8 - 3 tabs open correctly
9 - Restart Ff
10 - Middle click on "Test" bookmark folder
11 - First tab shows logged in, second and third do not.

It is very rare that this works ever. I was very surprised to see step 8 work. If you do get logged in correctly to all tabs, restart Ff and try again.




Expected Results:  
All mozillazine tabs should appear to be logged in.
I've seen this twice in the space of a few days. This is going to be horrid to reproduce, so I hope someone can pin it down quickly. 

Haven't yet tried to reproduce on trunk, but this is definitely present on the branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051109 Firefox/1.5

This is ultimately very late in the game, but I'm requesting blocking RC2 in the hopes that someone can figure this out and squash it quickly.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8rc2?
Keywords: qawanted, regression
Version: unspecified → 1.5 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8 ) Gecko/20051109 Firefox/1.5
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8 ) Gecko/20051108 Firefox/1.5

In my case it appears to be a forum issue not an Fx issue since it's occurring on different profiles(at least one was totally new), different o/s(Windows XP Home and Linux), different versions(1.0.7 and 1.5) of Fx and different computers.
Do we have any reports of this problem outside of mozillaZine? If not, I suspect it's specific to mozillaZine and will require a fix from them. 
There were reports of this occuring on other sites in the following thread:
<http://forums.mozillazine.org/viewtopic.php?t=337531>

I've asked for people to post the specifics in this bug.
I've had this cookie problrm since the last nightly or two if Beta 2 and continuing through this evening. My cookie permissions/options are "allow sites to set cookies". I have no "exceptions". The following sites/forums (other than MozillaZine Forums) are the ones I've had to re-log in every now and again. 

BLACK CAT BONE MUSIC DISCUSSION FORUM: http://www.blackcatbone.34sp.com/phpBB2/index.php?sid=595104f404d4e27b7e052cb747bb539c

EXTENSIONS MIRROr (Discussion Sub Forum): http://www.extensionsmirror.nl/index.php?showforum=22

SOULSEEK NETWORK COMMUNITY FORUMS: http://forums.slsknet.org/ipb/index.php?act=idx

BLOGGER HOME (Dashboard): 
http://www.blogger.com/home

MY SPACE: http://www.myspace.com/index.cfm?fuseaction=blog.controlcenter&Mytoken=4450D2F3-7477-4DD2-93B0F311C34285D71506418468&setonlinenow=1&Mytoken=F9D371DA-CD49-4736-9FDAB5C5DFF21740104024375
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051109 Firefox/1.5 ID:2005110922
Tried forums.mozillazine and extensionsmirror.
Forums.mozillazine even showed the problem in 1.0.7 (some tabs were remembered, others not, but after one or two restarts they were all forgotten). Extensionsmirror WFM.
I see that in forums.mozillazine individual bookmarks open logged in, also when I open the bookmark in a new tab. But the problem arises, when I want to open more bookmarks at the same time (by middleclicking a folder). At the moment that I open  more tabs that contain one or more bookmarks that are logged out, all further bookmarks will show logged out from now on.
This has been happening with my work's intranet (Boeing).  I log in, and the portal page automatically refreshes every fifteen minutes (I leave it open in the background), and eventually (within an hour), I get logged out, even though there is no reason I should be, without having clicked the logout link.  Unfortunately, you can't access the site from outside the firewall, otherwise I'd link it as an example.  In short, this is not just a Mozillazine problem.
Site problems? If this is also a problem in 1.0.x then we should get this over to evangelism.
Flags: blocking1.8rc2? → blocking1.8rc2-
So far we have seen reports of problems with Invision Power Board and phpBB. I looked at their sites and found some threads about auto-login issues but nothing specific about Firefox. Each has plenty of bugs open about login issues, XSS, etc.

Doug, what software does Boeing use ?

For people that can reproduce the problems, what are your cookie settings? Can you look at your cookies and give us the domain, path and expiration of the cookies used by the site?
(In reply to comment #10)
> 
> Doug, what software does Boeing use ?
> 

It's all custom built.  Actually, upon further reflection, I recall this being a problem in IE, too, so I'm inclined to think that this is probably a site-specific problem.
i'm seeing this on several bugzillas (incl. mozilla, gentoo, gcc, freedesktop), phpbb forums, mozillazine, google, and gmail.  
happening here also. on mozillazine on home computer and bugzilla on work computer. both running Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051113 Firefox/1.6a1

seems like only happens when i upgrade to newer nightly
This problem is reproducible on 1.0.7 as well as 1.5rc2.  I think it may have something to do with session cookies:

If you open one page and you have the cookie to auto-login, then auto-login works for that page.  You can then open a number of pages on that site into tabs, and they all are ok.

If you do not open one page first, then the first one or two tabs are logged in, but the others are not.  And if you do a reload on the logged-in pages, they will reload as logged-out.

In the case of the mozillazine forums:

The first set of requests send the login cookie, but do not send a session cookie.  The server responds with a different session cookie for each of the requests in this set, and appears to honor the auto-login cookie.

The next set of requests send the auto-login cookie and one of the session cookies.  The server response to these requests does not appear to honor the auto-login cookie, probably due to the different (and differing) session cookies.

Perhaps the version of phpbb before the recent upgrade did not check the session cookies so closely.
It seems that this bug happens only on phpBB forums (all that I visit) and Bugzilla. It is really annoying.
yeah it seems to happen only in phpBB forums except bugzilla for my case.
strange .. but I have auto-save login info checked so it's not very painfull for me to click login ;-) The better way to fix this may be websites-side. How do we deal with it ?

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051121 Firefox/1.5
Flags: blocking-aviary2?
See PHPBB forum thread http://www.phpbb.com/phpBB/viewtopic.php?t=340452&postdays=0&postorder=asc&highlight=cookies&start=0 which the mods there have locked. I think this is a PHPBB upgrade to 2.0.18 problem but they appear to be trying to deny it there.
removing blocking-aviary2 flag.

phpbb-side issue. (2.0.18)

If somebody do not agree, feel free to request another blocking flag.
Flags: blocking-aviary2?
Users of our system (it's not PHPbb) are reporting this is happening frequently: session cookies set by PHP are sporadically lost, and users cannot set the cookies again.

Clearing all cookies with the "clear private data" tool temporarily resolves the problem.

This issue doesn't seem to be *just* a PHPbb issue.
Is this really just a phpbb problem? I see it on vBulletin boards (running various versions). And is this effecting everyone? I think we need some simple repro steps and then to find a regression range. Once this is done we can set the flag and get someone to look at it and (fingers crossed) fix it. I'm going loopy having to relogin to the boards i read randomly.
It's relatively easy to show what might be happening to the cookies with a simple test page, like the one I just wrote at:
  http://silver.warwickcompsoc.co.uk/temp/bug315699

The three test URLs will hand out a randomly generated (session) cookie if there is not one already set. If each is opened in turn, you find that the first one sets the cookie, and the rest see it fine. If you open all three at once via a bookmark folder, all three pages see no session cookie, and all three set a new one. This is nothing more than a simple demonstration of what Dave Liebreich suggested in comment 14.

However, if you then open the inital page (keeping the 3 test pages open), you will sometimes find that it is not the cookie from the 3rd test page that was kept - there is (not too suprisingly) a race over which cookie is kept. If this differs from the session ID stored on the server, it will consider you logged out on the next request (as you provide a session ID that isn't in its DB).

This is all a bit hand-waving, but I can see it happening, especially since the headers will take a variable amount of time to make it from the server to the client. It does sound like it occurs far too reliably to just be a random race condition over the network, though, so perhaps there is something odd about how phpBB is generating/stoing the sessions (they do seem to be based on the exact second of the login).
Steve, unless you wanna backtrack all the way BEFORE 20050115, you won't. So I can say first hand this isn't a FF slated problem [Gotta love people runnin' old builds] unless this has to do with something core like how Fx reads cookie expiration. I'm getting this infuriating problem on MozillaZine constantly. I know this is a phpBB forum for a fact. It has to be.

Per James comment, YES! I KNEW IT! James, you are a 100% right. I've deduced it's the same thing - that the session IDs are getting thrown out b/c it doesn't recognize the old session cookie/it also must have a time discrepancy. But how do we go about contacting phpBB to get this fixed?

We've started a thread on it here:

Can't stay logged in:
http://forums.mozillazine.org/viewtopic.php?t=354646
This seriously appears to be a Firefox problem.  I suspect that Firefox is not properly sharing session cookie information across tabs.  Here's why:

I was logged into my bank and I made a cash transfer I then clicked to view my account summary.  After that, I middle-clicked on one of the accounts to view it in a new tab.  Voila!  My session has is expired and I must log back in!

In case anyone using the same bank wants to test, it's TD Canada Trust EasyWeb.
(In reply to comment #23)
> This seriously appears to be a Firefox problem.  I suspect that Firefox is not
> properly sharing session cookie information across tabs.  Here's why:

If you load my test pages one after the other in new tabs, they clearly show that session cookies are working fine across tabs. I seriously doubt any problem you had has any relation to this bug (if indeed this bug is a bug at all).
Tab context is not even readily available to the HTTP cookie engine, let alone used to determine which are sent.

TD Canada Trust has often had problems with multiple pages being used in parallel, likely due to session hijacking concerns.  Do you see different behaviour in 1.0.7?  I don't.
Flags: blocking-firefox2?
Without at least some ability to demonstrate/reproduce/really confirm this bug, we can't really block on it.
Flags: blocking-firefox2? → blocking-firefox2-
I may also be experiencing the same problem.
One caveat to my problem is that I do not use any 'auto-login' unless you are refering to the password mananger.

At http://www.masmforums.com and http://www.asmcommunity.com , both of which use SMF for the PHP based forum (http://www.simplemachines.org), I cannot maintain my login. By default these sites load the top page after login, but my login is lost when accessing a sub-forum, so you could imagine the infinite loop I am stuck in. Login, loose it (sent back to top), then login again.

If you want to reproduce just:
1 make an account
2 log in
3 click on any forum
4 top of page will list you as 'guest'

Firefox 1.0.7 through 1.5.0.2 have suffered from this.
My solution has been too clean out the cache and reboot windows.
Except when upgrading to 1.5, then I had to uninstall, reboot, install, and reboot.
And now with 1.5.0.2 nothing is working to work around this.

System is:
Firefox 1.5.0.2
Windows XP Home SP2
Set to remember username, password, and cookie.

I have mentioned this on masmforum but the suggestion is a firefox issue.
Same system but a seperate problem with PHP logins

At http://www.ubuntuforums.org my login is eventually forgotten.
What I mean is that after a time I am listed as not logged in.
I do not know how long this takes, maybe something like 5 or 10 minutes.
Like the SMF forums after logging back in I am taken to the top page again (a similiar infinite loop). Occasionaly my ;ogin is forgotten when trying to access a certain forum. Today it was the networking forum but it changes which one I'll have problems with.

No idea for a work around on this one, I haven't been a member of that forum for long. And again I am logging in through the password manager.
This is happening for me on a consistent basis at http://www.codeproject.com

I'll log in, set my preferences for the forums (50 messages per page) and then close Firefox. When I open Firefox and go to CodeProject, I'm signed out and my prefs are back to the default. 
Sorry for the bug spam, but I forgot to mention that I'm running Minefield. (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060627 Minefield/3.0a1 ID:2006062704 [cairo]) Also, for clarification, the forums at CodeProject are classic ASP. So this isn't just a PHP issue.
Huh. That's really weird. As soon as I upgraded to yesterday's nightly, I could login to CodeProject just fine. I'm blaming this on ghostus ex machina...the ghost in the machine, since there was obviously no work done on cookie handling code between the 27th and 28th.
I can consistently encounter this bug using build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre, on the site http://forums.beyondunreal.com, which uses vBulletin Version 3.6.5.
(In reply to comment #32)
> I can consistently encounter this bug using build Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre, on the
> site http://forums.beyondunreal.com, which uses vBulletin Version 3.6.5.
> 

That's probably caused by the recently added httponly-cookie (bug #178993) support. vbulletin uses httponly for cookies that contain your userid, password-hash and sessionhash since vB 3.6.1.
(In reply to comment #21)

nice analysis! your demonstration works on trunk, so it's still a valid bug. two points:

1) there's really nothing we can do in the cookie backend to fix this. one reasonable fix might be to add a check into the code that opens multiple URI's into tabs or windows... if the domains of several URI's are the same, delay loading the rest until the first is done. "done" here could mean we received the first response header from the server, one of the event handlers or load notifications firing, or somesuch. this check would only affect loading multiple URI's from the same domain, which arguably wouldn't affect most users.

2) based on comments, it seems like certain releases of serverside software. have they done something to exacerbate this problem? should the fix be on their end?

kicking this bug over to places (bookmarks?) for now, since the fix probably belongs in the "open all in tabs" code.
Component: General → Places
OS: Windows XP → All
QA Contact: general → places
Hardware: PC → All
Version: 1.5.0.x Branch → Trunk
updating summary.
Summary: Auto-login Cookies not always working → login cookie race condition when opening multiple bookmarks into tabs
Yes, dwitte's suggestion to stagger the loading of same-domain URLs could probably be done in the "open all tabs" code.
Priority: -- → P3
Whiteboard: [good first bug]
Keywords: qawanted
Bug 451915 - move Firefox/Places bugs to Firefox/Bookmarks and History. Remove all bugspam from this move by filtering for the string "places-to-b-and-h".

In Thunderbird 3.0b, you do that as follows:
Tools | Message Filters
Make sure the correct account is selected. Click "New"
Conditions: Body   contains   places-to-b-and-h
Change the action to "Delete Message".
Select "Manually Run" from the dropdown at the top.
Click OK.

Select the filter in the list, make sure "Inbox" is selected at the bottom, and click "Run Now". This should delete all the bugspam. You can then delete the filter.

Gerv
Component: Places → Bookmarks & History
QA Contact: places → bookmarks
Dietrich, do you still think this is a good first bug? It hasn't been touched in a while. If we keep it as a good first bug, might you consider tagging it as a mentored bug, and being the mentor? Thanks!
Flags: needinfo?(dietrich)
Hi Liz! It's been more than 4 years since I left that comment.

Added a ni? for Marco, who might better know that code in it's contemporary state and could make a call on whether this is worth mentoring.
Flags: needinfo?(dietrich)
Whiteboard: [good first bug]
Priority: P3 → --
Most of the later reports don't mention "Opening all in tabs" for this bug, and the fact we've not heard anything on this for a few years, makes me wonder if this is really still an issue. Additionally, lots has changed in the last 10 years...

I'm going to mark as "works for me". If you're still seeing a problem, please feel free to file a new bug with steps to repeat and as much detail as you can.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.