Closed Bug 416356 Opened 17 years ago Closed 16 years ago

Does not accept domain cookies issued by subdomains sites like bugzilla.mozilla.org cannot issue a mozilla.org cookie

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: riccirj, Unassigned)

References

(
URL
)

Details

(Keywords: privacy)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 I have a website with URL athena.rdc.puc-rio.br. This website has a login page that redirects the authenticated user to several websites under the .puc-rio.br domain, like puconline.puc-rio.br. So the authentication ticket is issued as .puc-rio.br to be accessible by all subdomain websites, but the firefox 3 does not accept "domain cookies". When I enter using the Second Version of firefox everything works perfectly. Several Websites authenticates theirs users in that way. Reproducible: Always Steps to Reproduce: 1.I can send you all the steps needed to reproduce but These steps are confidencial, should not be visible in bug tracker because its a internal application that needs user and password 2. 3.
Keywords: privacy
i'm not sure i understand the problem completely: 1) are you having problems with firefox 3, but firefox 2.0 works? (if so, which alpha or beta version of firefox 3?) 2) do you think this is a problem with firefox handling login cookies, or some other authentication mechanism? if this is a cookie problem, the first step is to generate a cookie log demonstrating the problem. can you please follow the steps at http://developer.mozilla.org/en/docs/Creating_a_Cookie_Log, and attach the log here?
Version: unspecified → Trunk
If I understood well, he said a subdomain, bugzilla.mozilla.org, can't create a cookie that is valid for mozilla.org and all its subdomains. If so, this not seems to me a bug but a security feature. And I'm a bit surprised to read Firefox 2 doesn't have it...
(In reply to comment #2) > If so, this not seems to me a bug but a security feature. And I'm a bit > surprised to read Firefox 2 doesn't have it... creating a domain cookie accessible to higher-level domains is valid behavior. we need a cookie log, as noted in comment 1, to proceed further here.
(In reply to comment #3) > creating a domain cookie accessible to higher-level domains is valid behavior. Of course, but he's not writing about the contrary, that is cookie accessible lo lower level domains? From the report: > I have a website with URL athena.rdc.puc-rio.br. This website has a login page > that redirects the authenticated user to several websites under the > .puc-rio.br domain For what I've understood, the login page is at athena.rdc.puc-rio.br, and not at .puc-rio.br Anyway you are completely right, we need his cookie log ^___^
At this point doesn't look like we'll get any more information, resolving incomplete.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE
Resolution: INCOMPLETE → FIXED
Reporter, if now the problem seems to be resolved but you don't know why, the bug must be resolved as WFM. I change the resolution :-)
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.