Closed Bug 460776 Opened 16 years ago Closed 16 years ago

Cookies set to nhs.uk treated as TLD and rejected

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martin.button, Assigned: david+mozilla)

References

(
URL
)

Details

(Keywords: verified1.9.0.5)

Attachments

(2 files)

Patch to add nhs.uk as exception to the effective TLD list
492 bytes, patch
gerv
: review+
beltzner
: approval1.9.1b2+
Details | Diff | Splinter Review
Patch to sync trunk and gecko 1.9.0
878 bytes, patch
gerv
: review+
dveditz
: approval1.9.0.5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729)

If you register with the talk.nhs.uk website a single sign on cookie will be set for nhs.uk. Whilst this is a TLD, it is also used for all NHS websites in the uk and www.nhs.uk and talk.nhs.uk are valid addresses. For this reason a cookie set to nhs.uk is also valid.

This works fine in IE7, Safari, Firefox 2 and Opera, but not in Firefox 3 or Google Chrome.

I reported this in IRC and it was suggested that an exception could be added to the effective_tld_names.dat file to accomodate nhs.uk

Reproducible: Always

Steps to Reproduce:
1. Visit talk.nhs.uk
2. Click on create an account in the header
3. Complete the simple form (email address and password) and click create an account
4. Click 'Skip this step' at the foot of the page
5. Click 'Return to the page you were on'
6. This should return you to talk.nhs.uk in a logged in state. Viewing the cookies set you should see a cookie named CSUser set to the domain nhs.uk
Actual Results:  
The CSUser cookie never appears and because of this you are unable to log in to the talk.nhs.uk website

Expected Results:  
The CSUser cookie should be saved for the domain nhs.uk

The NHS in the UK control all domains that end nhs.uk If you need to verify that can you please contact David Hinkinson-Hodnett using the email address david.hinkinson-hodnett@dh.gsi.gov.uk who can provide any paperwork necessary to verify this.

This defect currently prevents anybody using Firefox 3 from using the NHS Talk application. Currently we have over 3 million (due to hit over 6 million in the next couple of months when we take over another site) users a month and with Firefox's market share this suggests a large number of users are being prevented from using our site by this bug.
Component: General → Networking
Product: Firefox → Core
QA Contact: general → networking
Component: Networking → Networking: Cookies
QA Contact: networking → networking.cookies
sounds like we need a !nhs.uk rule.
Severity: critical → major
Here is a patch for the issue, it only contains one change, but as this seems to affect a lot of people I hope we can get this into trunk and CVS soon.
Maybe we should also set this bug blocking1.9.0.4.
Assignee: nobody → david+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #344075 - Flags: review?(gerv)
Wait a sec :-)

The NHS in the UK is a multi-faceted beast; it's certainly not a no-brainer that all of the different companies and organizations which run NHS services should be allowed to set or see each other's cookies. For example, we don't allow cookies for sch.uk (schools) because, even if they all receive government funding, they are run independently. Isn't this arrangement parallel to different NHS trusts?

Similarly, if I am on http://www.bcf.nhs.uk/, I want the ETLD+1 to be "bcf.nhs.uk" (Barnet and Chase Farm NHS Trust), not "nhs.uk".

I need to contact david.hinkinson-hodnett@dh.gsi.gov.uk and discuss it with him.

Gerv
Attachment #344075 - Flags: review?(gerv) → review-
As Martin wrote, they are one organization, and they provide single sign-on for their services, which means they also share one user database. When you try to sign on for talk.nhs.uk you are redirected to www.nhs.uk. It's just the same as using secure.amazon.com for login (encrypted, when the password is transmitted) but using www.amazon.com for the rest (unecrypted), by using a cookie (with domain=.amazon.com) to store the session.
You are more than welcome to contact David to check the validity of this request. 

All nhs.uk addresses are controlled by an organisation called Connected For Health, part of the NHS in the UK. David can provide details for them if required.

You are quite right in that there are many different arms to the NHS, but they are all part of the NHS. Currently the only sites using the single sign on features are talk.nhs.uk, www.nhs.uk and an internal moderation administration site that I shouldn't really divulge the URL for. If other NHS websites wished to use the single sign on they could. When we decided to use the .nhs.uk cookie we did this fully aware and accepting the fact that all other NHS websites can see this cookie. This is not a problem in the slightest.

(In reply to comment #3)
> Wait a sec :-)
> 
> The NHS in the UK is a multi-faceted beast; it's certainly not a no-brainer
> that all of the different companies and organizations which run NHS services
> should be allowed to set or see each other's cookies. For example, we don't
> allow cookies for sch.uk (schools) because, even if they all receive government
> funding, they are run independently. Isn't this arrangement parallel to
> different NHS trusts?
> 
> Similarly, if I am on http://www.bcf.nhs.uk/, I want the ETLD+1 to be
> "bcf.nhs.uk" (Barnet and Chase Farm NHS Trust), not "nhs.uk".
> 
> I need to contact david.hinkinson-hodnett@dh.gsi.gov.uk and discuss it with
> him.
> 
> Gerv
Component: Networking: Cookies → Networking
OS: Windows Server 2003 → All
QA Contact: networking.cookies → networking
Hardware: PC → All
Version: unspecified → Trunk
I've emailed my contact at Nominet, who control .uk, to ask them what they think. I'll probably do whatever they decide.

Gerv
Has Nominet got back to you yet? As far as I'm aware they don't actually have any control over nhs.uk. It's managed internally by Connect for Health, the IT arm of the NHS. David Hinkinson-Hodnett can confirm all the details or put you in touch with whoever you need to speak to if you drop him an email.

Martin
No, they haven't. <sigh>

OK, fair enough. David: can you make a patch and get it checked in to the necessary places?

Thanks,

Gerv
Thanks for the update Gerv.

Do you have any idea of timescales to when we can hope to see this change in a firefox release? Will it appear in a beta quickly or still take a while to filter through? Also is there a date set for the next release of Firefox that might include this change?

I don't mean to harass you but as with most of us I have people to answer to and so I could do with something to tell them basically.
Attachment #344075 - Flags: review?(gerv)
Comment on attachment 344075 [details] [diff] [review]
Patch to add nhs.uk as exception to the effective TLD list

The patch is still valid, it just needs a review ;-)

Martin Button:
If everything goes ok the patch might make it into Firefox 3.0.5, but the code freeze is in one week and the patch has yet to be checked into trunk and then into the 3.0.x branch). For more information, please take a look at https://wiki.mozilla.org/Releases
Comment on attachment 344075 [details] [diff] [review]
Patch to add nhs.uk as exception to the effective TLD list

r=gerv.

If you get it on the trunk ASAP, then you can get it on the branch in a few days if you are quick. It hardly needs much baking :-) 

Gerv
Attachment #344075 - Flags: review?(gerv) → review+
Attachment #344075 - Flags: review-
Comment on attachment 344075 [details] [diff] [review]
Patch to add nhs.uk as exception to the effective TLD list

clearing r- flag to make things more obvious ;)
Thanks, tagging as checkin-needed. Can somebody please check this into trunk?

I also requested blocking1.9.0.5-flag, as according to Martin Button this breaks a site with up to 6 million possible users. If it gets approved, I will add another patch that includes the changes made in #455771, so that trunk and 3.0 branch are in sync again.
Flags: blocking1.9.0.5?
Keywords: checkin-needed
Comment on attachment 344075 [details] [diff] [review]
Patch to add nhs.uk as exception to the effective TLD list

Trunk is currently locked down for blockers and approved patches only, so requesting approval for this.
Attachment #344075 - Flags: approval1.9.1b2?
Comment on attachment 344075 [details] [diff] [review]
Patch to add nhs.uk as exception to the effective TLD list

a=beltzner if you can find a green tree somewhere
Attachment #344075 - Flags: approval1.9.1b2? → approval1.9.1b2+
Pushed changeset bb2c08a5fb4e.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Thank you for the help ;-)

Here is another patch, that includes the changes made in bug #455771. It will finally bring trunk and mozilla-1.9 back in sync.
Attachment #347725 - Flags: review?(gerv)
Attachment #347725 - Flags: approval1.9.0.5?
Attachment #347725 - Attachment is patch: true
Attachment #347725 - Attachment mime type: application/octet-stream → text/plain
Attachment #347725 - Flags: review?(gerv) → review+
Comment on attachment 347725 [details] [diff] [review]
Patch to sync trunk and gecko 1.9.0

r=gerv.

Gerv
Not blocking, we'll look at the patch approval after another day or two of trunk testing. Can someone verify the fix on the trunk?
Flags: blocking1.9.0.5? → wanted1.9.0.x+
Whiteboard: [needs trunk verification]
Ok, I just tried the 3.1 beta and the current nightly in qemu from a clean windows system image.

On Firefox 3.1b1 (Gecko/20081007 Firefox/3.1b1) no cookies were set for .nhs.uk.
On Firefox 3.1b2pre (Gecko/20081114 Minefield/3.1b2pre) two cookies (WT_FPC and CSUser) were set for .nhs.uk.
On my main workstation, running Iceweasel 3.0.3 (Gecko 2008092814 Iceweasel/3.0.3) no cookies were set.

I hope this justifies as trunk verification.
Status: RESOLVED → VERIFIED
Whiteboard: [needs trunk verification]
Comment on attachment 347725 [details] [diff] [review]
Patch to sync trunk and gecko 1.9.0

Approved for 1.9.0.5, a=dveditz for release-drivers
Attachment #347725 - Flags: approval1.9.0.5? → approval1.9.0.5+
Checked in by mrbkap as CVS revision 1.9 of file effective_tld_names.dat. Thanks ;-)
Keywords: checkin-neededfixed1.9.0.5
Sorry to be a pest, but does this mean the fix will make the 3.0.5 release scheduled for mid December?
Yes, this will be fixed in the following releases:

3.0.5: around December 16
3.1b2: around November 24

David
Many thanks for everybodies assistance in resolving this.
This is verified fixed in 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008120105 GranParadiso/3.0.5pre. You can log into the site now and cookies are set.
Keywords: fixed1.9.0.5verified1.9.0.5
Might be interesting to see why this works in other browsers. Do they not block cookies for the .co.uk  etc. domains? Or are they using a different black/whitelist that includes the old domains such as nhs.uk, parliament.uk, jet.uk etc. (examples from Wikipedia)?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: