Closed Bug 525722 Opened 16 years ago Closed 14 years ago

Double page load breaks internet banking, when charset autodetection enabled

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: dwmw2, Unassigned)

References

(
URL
)

Details

(Whiteboard: [CLOSEME 2011-2-15])

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 I use an online banking service at https://ib.npbs.co.uk/ You can see the second stage of the login process if you enter a feasible customer number, such as 1200000. It shows you a frameset including 'password.asp' which asks for characters from your password and part of your date of birth. When charset autodetection is enabled, that second stage of the login process is detected as being in the Windows-1252 charset. If I enter my correct account details, the LiveHTTPHeaders plugin shows me that Firefox logs in successfully and sends a successful GET for the AccountSummary.asp page. However, for some reason Firefox sends a second GET for that same page, immediately after the first. As a security measure, the second GET is given a redirect to the login page, and the session is terminated. Firefox never displayed the first AccountSummary.asp page; the effect is that I'm just logged out as soon as I log in. If I disable charset autodetection, or if I leave it enabled but manually switch to iso8859-1 when I'm viewing the password.asp page, this double GET doesn't happen and everything works fine. Reproducible: Always Steps to Reproduce: 1. Get an account at the Norwich and Peterborough Building Society 2. Apply for online banking access 3. Enable charset autodetection in firefox 4. Attempt to log in
Trace from LiveHTTPHeaders, showing the problem. It shows a successful login redirecting to AccountSummary.asp, a successful fetch of that page, and then the gratuitous immediate _second_ fetch of that page which causes the server to log me out, redirecting me back to the Login.asp page. A trace when I disable charset detection looks very much like this at the start, but the second fetch of AccountSummary.asp doesn't happen -- instead it gets the CSS file referenced by that page, and continues happily with a successful session. POST /netmastergoldbanking/VerifyPassword.asp HTTP/1.1 Host: ib03.npbs.co.uk User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://ib03.npbs.co.uk/netmastergoldbanking/password.asp Cookie: ASPSESSIONIDCSBCQAAD=xxxxxxxxxxxxxxxxxxxxxx Content-Type: application/x-www-form-urlencoded Content-Length: 210 txtToken=xxxxxxxxxxxxxxxxxxx&txtCustomerFound=Y&txtPos1=4&txtPos2=1&txtPos3=2&txtPos4=3&txtDOBCalculatedChoice=3&txtPassword=**********&txtHash=%2B%2521%2523%2521%252C%2B%2521&txtShortPassword=xxxx&selDOB=xxxx HTTP/1.x 302 Object moved Date: Sat, 31 Oct 2009 13:01:54 GMT Cache-Control: no-store, no-cache, must-revalidate, private Expires: -1 Pragma: no-cache Location: StatementSwitchOff.asp?txtToken=xxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 Content-Length: 203 Content-Type: text/html ---------------------------------------------------------- https://ib03.npbs.co.uk/netmastergoldbanking/StatementSwitchOff.asp?txtToken=xxxxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 GET /netmastergoldbanking/StatementSwitchOff.asp?txtToken=xxxxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 HTTP/1.1 Host: ib03.npbs.co.uk User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://ib03.npbs.co.uk/netmastergoldbanking/password.asp Cookie: ASPSESSIONIDCSBCQAAD=xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.x 302 Object moved Date: Sat, 31 Oct 2009 13:01:54 GMT Cache-Control: no-store, no-cache, must-revalidate, private Expires: -1 Pragma: no-cache Location: AccountSummary.asp?txtToken=xxxxxxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 Content-Length: 199 Content-Type: text/html ---------------------------------------------------------- https://ib03.npbs.co.uk/netmastergoldbanking/AccountSummary.asp?txtToken=xxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 GET /netmastergoldbanking/AccountSummary.asp?txtToken=xxxxxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 HTTP/1.1 Host: ib03.npbs.co.uk User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://ib03.npbs.co.uk/netmastergoldbanking/password.asp Cookie: ASPSESSIONIDCSBCQAAD=xxxxxxxxxxxxxxxxxxx HTTP/1.x 200 OK Date: Sat, 31 Oct 2009 13:01:55 GMT Cache-Control: no-store, no-cache, must-revalidate, private Expires: -1 Pragma: no-cache Content-Length: 7015 Content-Type: text/html ---------------------------------------------------------- https://ib03.npbs.co.uk/netmastergoldbanking/AccountSummary.asp?txtToken=xxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 GET /netmastergoldbanking/AccountSummary.asp?txtToken=xxxxxxxxxxxxxxxxxx&txtHash=+%21%23%21%2C+%21 HTTP/1.1 Host: ib03.npbs.co.uk User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://ib03.npbs.co.uk/netmastergoldbanking/password.asp Cookie: ASPSESSIONIDCSBCQAAD=xxxxxxxxxxxxxxxxxxxxxx HTTP/1.x 302 Object moved Date: Sat, 31 Oct 2009 13:01:55 GMT Cache-Control: no-store, no-cache, must-revalidate, private Expires: -1 Pragma: no-cache Location: Login.asp?ReLogin=Y Content-Length: 140 Content-Type: text/html ----------------------------------------------------------
Reporter, are you still seeing this issue with Firefox 3.6.13 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing. http://support.mozilla.com/kb/Safe+Mode http://support.mozilla.com/kb/Managing+profiles
Whiteboard: [CLOSEME 2011-2-15]
No reply, INCOMPLETE. Please retest with Firefox 4 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.