HttpOnly Cookies broken (exchanged httponly and secure)

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
13 years ago
12 years ago

People

(Reporter: ronny.perinke, Assigned: ronny.perinke)

Tracking

({regression})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

()

Attachments

(1 attachment)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9a4pre) Gecko/20070327 Firefox/3.0a4pre (Sephiroth/SSE2)
Build Identifier: 

If a httponly-cookie or even a normal cookie is read from cookies.txt, it's isSecure and httponly-state is exchanged. httponly becomes to isSecure and vice versa.
Thus, httponly-cookies are not send through a non-secure http-connection and will be stored incorrectly again in cookies.txt

Reproducible: Always

Steps to Reproduce:
1. login to a forum using vBulletin >= 3.6.1 and check "remember login"
2. quit browser and do not delete the login cookies (userid and password)
3. start browser and visit the forum
Actual Results:  
not logged in anymore

Expected Results:  
automatically logged in again

bug #178993 comment #119
> something went wrong, the cookies are not send back or so.
> 
> bug #315699 comment #32
> > I can consistently encounter this bug using build Mozilla/5.0 (Windows; U;
> > Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre, on the
> > site http://forums.beyondunreal.com, which uses vBulletin Version 3.6.5.
> > 
> vBulletin uses httponly for cookies that contain your userid,
> password-hash and sessionhash since vB 3.6.1. Login works normally in IE 7,
> which supports httponly cookies.
>
Keywords: regression
OS: Windows XP → All
Hardware: PC → All
Posted patch fix itSplinter Review
fix call of nsCookie::Create()
isHttpOnly is the 9th parameter and not the 8th
aIsSecure is the 8th parameter and not the 9th
Attachment #259755 - Flags: review?(sayrer)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a4pre) Gecko/20070327 Minefield/3.0a4pre ID:2007032702 [cairo]
Confirming this bug. I've been seeing it for a couple of weeks or so on http://www.neowin.net/forum/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 178993
Comment on attachment 259755 [details] [diff] [review]
fix it

r=mkaply
Attachment #259755 - Flags: review?(sayrer) → review+
Attachment #259755 - Flags: superreview?(darin.moz)
Attachment #259755 - Flags: superreview?(darin.moz) → superreview+
Assignee: nobody → ronny.perinke
Whiteboard: [checkin needed]
Checking in mozilla/netwerk/cookie/src/nsCookieService.cpp;
/cvsroot/mozilla/netwerk/cookie/src/nsCookieService.cpp,v  <--  nsCookieService.cpp
new revision: 1.53; previous revision: 1.52
done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Flags: in-testsuite?
This bug was only present in 3.0 builds, not in 2.0 releases, right?  I'm seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11.  They sound similar but I haven't dug into it yet.
(In reply to comment #5)
> This bug was only present in 3.0 builds, not in 2.0 releases, right?  I'm
> seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11.
>  They sound similar but I haven't dug into it yet.
> 

Implementing httponly-cookies in Firefox 2.0 is bug 178993 but it looks ok and I can say that it works (for me).
Your problem seems to have another reason. You can check if and what cookie content is sent with LiveHTTPHeaders (http://livehttpheaders.mozdev.org/).
You need to log in before you can comment on or make changes to this bug.