Last Comment Bug 526462 - Java does not get cookie information from browser
: Java does not get cookie information from browser
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 1.9.2 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Josh Aas
: Benjamin Smedberg [:bsmedberg]
: 532760 535089 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2009-11-04 04:45 PST by axianx
Modified: 2009-12-18 13:28 PST (History)
9 users (show)
jaas: blocking1.9.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Testcase (client applet and server php script) (2.82 KB, application/zip)
2009-11-12 03:06 PST, axianx
no flags Details
Another testcase (2.75 KB, application/zip)
2009-11-24 13:17 PST, Steven Michaud [:smichaud] (Retired)
no flags Details
fix v1.0 (1.03 KB, patch)
2009-11-24 19:06 PST, Josh Aas
roc: review+
dveditz: approval1.9.1.8+
Details | Diff | Splinter Review
unpatched->patched asm diff for fix v1.0 (7.83 KB, patch)
2009-11-24 19:34 PST, Josh Aas
no flags Details | Diff | Splinter Review

Description axianx 2009-11-04 04:45:01 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b1) Gecko/20091029 Firefox/3.6b1 (.NET CLR 3.5.30729)

When a java applet tries to send a HTTP request the cookie information is usually picked up automatically and sent to the server as a header.
This worked in firefox 3.5 but it is broken in firefox 3.6 beta 1.
Websites which rely on cookie information for session management and use java applets won't work any more.

Reproducible: Always

Steps to Reproduce:
1. Create a Java applet that uses URLConnection to periodically connect to 
the same server as the web page that contains the applet.  Normally the 
cookie information is picked up automatically and sent to the server as a 
2. Put the web page up on a server that uses sessions (or something else 
that sets a cookie).  For example, PHP with session_start().
3. Load the web page - it should work fine at first. 
4. Refresh the browser window while the applet is running.  The browser 
itself maintains the session; but on its next load the Java applet stops 
getting the cookie information and therefore loses session information.

Actual Results:  
The cookie informaton is lost in the applet HTTP request. If you use cookie based session management the webserver cannot link the applet request to the existing browser session and replies by sending a new session cookie.

Expected Results:  
At any point the Java applet should keep sending the cookie header with 
each request. The cookie contents should be consistent with the cookie information from the browser.
Comment 1 Matthias Versen [:Matti] 2009-11-04 09:01:25 PST
Do you use the new java plugin (npapi) with FF3.5 or the old (oji) one ?
3.6 will only use the new one AFAIK.
Comment 2 axianx 2009-11-04 11:27:05 PST
I tried both plugins on FF 3.5, but I can only reproduce the bug with 3.6.
You are right, 3.6 only uses the next-generation java plugin (and ignores differing settings in the java control panel).
Comment 3 Matthias Versen [:Matti] 2009-11-04 13:52:37 PST
Do you mean that FF3.5 on your system used the old plugin and it worked while FF3.6 is using the new NPAPI plugin and fails ?

In that case it seems to be a JRE Plugin issue, the support for the cookies got added with bug 470993 for NPAPI plugins.
Comment 4 axianx 2009-11-05 01:56:34 PST
I tried FF 3.5 with the old plugin and it worked.
I also tried FF 3.5 with the new NPAPI plugin and it worked too.
FF 3.6 uses the new NPAPI plugin and fails.
This is a regression bug.

I suggest to mark this bug as a blocker because proper cookie handling is essential to web applications.
Comment 5 Johnny Stenback (:jst, 2009-11-11 09:34:05 PST
Josh, can you debug this on Windows? If not, let me know and I'll make time to have a look. Seem like the Java plugin should get the cookie information through our _getvalueforurl(), maybe double check that it gets called and works etc first? or Hao, a testcase available to Mozilla developers would be excellent here, can either of you (or anyone else) provide one? We need that to be able to confirm this bug, and block the release on it if so needed.

Also axianx, knowing what Java version you use would help ensure this is a problem in Mozilla code and not in an older version of Java. Thanks!
Comment 6 Josh Aas 2009-11-11 12:46:30 PST
I can take a look but we need a test case and the reporter's Java version, as mentioned in comment #5.
Comment 7 axianx 2009-11-12 02:29:49 PST
@Johnny: I tested firefox 3.6 beta 2 and the latest JRE 6 update 17
Comment 8 axianx 2009-11-12 03:06:03 PST
Created attachment 411936 [details]
Testcase (client applet and server php script)

I attached a testcase. Check README.txt for more detailed
The testcase contains a tiny server script (php). I tried the testcase locally
with XAMPP (apache+php). Unfortunately I cannot provide you with a public test site.
If you need assistance using (compiling, packaging, signing..) the testcaase feel free to contact me:
Comment 9 Mike Beltzner [:beltzner, not reading bugmail] 2009-11-19 08:14:17 PST
Blocking decision now that there's a testcase?
Comment 10 Josh Aas 2009-11-24 10:52:17 PST
Whatever is wrong here (if anything) doesn't seem to affect a lot of people, I don't think we need to block. We're still testing though, will change the decision if we find something bad enough.
Comment 11 Josh Aas 2009-11-24 11:22:54 PST
Steven's other cookie test cases are failing on Windows, I'll let him comment more but reversing decision to blocking+.
Comment 12 Steven Michaud [:smichaud] (Retired) 2009-11-24 13:17:41 PST
Created attachment 414342 [details]
Another testcase

Here's another testcase, which may (I hope) be easier to use.

The testcase's files need to be served from a web server that supports
PHP.  I know the copy of Apache bundled with OS X does support PHP,
but you need to edit one of its config files to turn that support on.
On the assumption that Josh (like me) is more familiar with OS X than
with other OSes, I'll make my instructions specific to OS X.  They'll
also be specific to OS X 10.5.8 -- which is where I run Apache on OS
X.  The instructions for OS X 10.6.2 (or indeed for other platforms)
are presumably not too different.

1) Edit /etc/apache2/httpd.conf to uncomment the following line:

   LoadModule php5_module        libexec/apache2/

2) Create a directory under /Library/WebServer/Documents to contain
   the files from -- I used "cookie".  Then unzip into this directory.

3) Turn on the Apache server by doing the following.  (If it's already
   running, you'll need to turn it off and on, so that it picks up the
   settings change from step 1.)

   In the Sharing pref panel check (or uncheck and check) the "Web
   Sharing" service.

   You should now be able to connect to the server locally by visiting
   'http://localhost/', or remotely by visiting

4) Visit 'http://localhost/cookie/session.html' (or

   After a few seconds, a Java applet will load that contains a large
   "Connect" button to the left and an empty frame to the right.

5) Click on the "Connect" button.  This makes the applet connect back
   to the server to load session.html in the empty frame.

   Now the once-empty frame will contain a page entitled "Session Test
   Page" with two more lines in it:

   The current count is 1.
   The current session id is [32-digit-hexadecimal-number].

6) Click again on the "Connect" button.

   If the applet is able to access the browser cookie store, the
   "current count" will increment to '2' and the "session id" will
   stay the same.

   If the applet is unable to access the browser cookie store, the
   "current count" will stay at '1' and the "sesion id" will change.

The PHP server (Apache) needs to store the "session id" in a browser
cookie (one whose lifetime is limited to the duration of the session).
So part of the HTTP traffic it sends to the applet tells it to create
a cookie whose "site" is "localhost" (or "") and whose
"name" is "PHPSESSID".  You can see this cookie by choosing "Page
Info" and clicking on the "View Cookies" button (under the "Security"

For some reason you can still "see" the cookie even if the applet
wasn't able to get the browser to create one.  But notice that its
"Content" (the session id) keeps changing every time you press the
applet's "Connect" button.

I ran my tests on Windows XP, with the current Sun Java plugin (6.0
Update 17), using today's Shiretoko (1.9.1 branch, FF 3.5.X), Namoroka
(1.9.2 branch, FF 3.6) and Minefield (trunk) nightlies.  Cookies
"worked" with Shiretoko, but not with Namoroka or Minefield.

For complicated reasons I've been unable to test on Linux.  But I
suspect this bug also exists there.  It doesn't exist on OS X (at
least using my testcase).
Comment 13 Steven Michaud [:smichaud] (Retired) 2009-11-24 13:19:53 PST
I'm going away for Thanksgiving.  So I'm not going to be able to work
on this bug until next week.  With luck, once I get back I'll find that
Josh has fixed it :-)
Comment 14 Steven Michaud [:smichaud] (Retired) 2009-11-24 13:30:41 PST
> 5) Click on the "Connect" button.  This makes the applet connect
>    back to the server to load session.html in the empty frame.

Oops.  This should read:

5) Click on the "Connect" button.  This makes the applet connect back
   to the server to load session.php in the empty frame.
Comment 15 Steven Michaud [:smichaud] (Retired) 2009-11-24 14:03:52 PST
> For some reason you can still "see" the cookie even if the applet
> wasn't able to get the browser to create one.  But notice that its
> "Content" (the session id) keeps changing every time you press the
> applet's "Connect" button.

Actually, it sounds like the Java applet *does* get the browser to
create a cookie, but is unable to access/read it after it was created.
Comment 16 Josh Aas 2009-11-24 17:17:37 PST
I can also reproduce this now. I have Steven's test case set up on a Mac OS X web server.

Windows (7) with Java SE 6 Update 17 has the bug in Firefox 3.6b3 but not Firefox 3.5.5.

Linux (Ubuntu 9.10 64-bit) with Java SE 6 Update 15 has the bug in Firefox 3.6b3 but not Firefox 3.5.5.

Mac OS X (10.6) does not have the bug in Firefox 3.5.5 or Firefox 3.6b3.

So this is not a Windows-only problem.
Comment 17 Josh Aas 2009-11-24 19:06:21 PST
Created attachment 414423 [details] [diff] [review]
fix v1.0

This is our bug, this patch fixes it. *Why* this patch fixes it I do not know yet.

The NS_FAILED check in question was always returning true, even when the call within it was returning NS_OK. With the value broken out into its own variable the problem doesn't happen.
Comment 18 Josh Aas 2009-11-24 19:34:20 PST
Created attachment 414430 [details] [diff] [review]
unpatched->patched asm diff for fix v1.0
Comment 19 Robert O'Callahan (:roc) (email my personal email if necessary) 2009-11-24 19:47:00 PST
Comment on attachment 414423 [details] [diff] [review]
fix v1.0

The destructor for getter_Copies sets cookieStr and therefore needs to run before we test cookieStr. Without this patch, it runs after we test cookieStr.
Comment 20 Josh Aas 2009-11-24 19:54:54 PST
I want to get this in ASAP, filed bug 530980 for tests which I'll write soon.
Comment 21 Josh Aas 2009-11-24 23:41:50 PST
pushed to mozilla-central, tests are in review in bug 530980
Comment 22 Josh Aas 2009-11-25 07:44:54 PST
pushed to mozilla-1.9.2
Comment 23 Samuel Sidler (old account; do not CC) 2009-11-25 11:47:59 PST
These bugs landed after b4 was cut. Moving flag out.
Comment 24 Daniel Veditz [:dveditz] 2009-11-30 14:46:51 PST
Several comments say this bug does not affect 3.5.x -- why would this block?
Comment 25 Josh Aas 2009-11-30 16:30:32 PST
This does affect 3.5.x, 3.5.x users just don't use the new Java plugin by default so it usually doesn't, and no other popular plugin retrieves cookies from the browser this way (yet). If we don't fix this in 3.5.x then no pure NPAPI plugin can ever get cookies from the browser in 3.5.x.
Comment 26 Daniel Veditz [:dveditz] 2009-11-30 17:47:17 PST
You're saying axianx in comment 4, smichaud in comment 12, and you in comment 16, were all testing it incorrectly? What is the correct way to test? QA is going to need to know how to verify the fix if we're going to take it.
Comment 27 Josh Aas 2009-11-30 18:47:15 PST
What I said in comment 25 is correct. The confusion in previous testing comes from the fact that the Java plugin will attempt to use XPCOM to obtain cookies if the NPAPI option fails. NPAPI cookie retrieval is broken in 3.5 and 3.6 but the fallback Java uses works in 3.5 while it does not in 3.6 (the XPCOM option is gone in 3.6). We don't want to force plugin developers to use XPCOM to access cookies on 3.5.x, which is what we'll be doing if we don't take this patch.

I have confirmed this with Sun, NPAPI cookie retrieval fails in 3.5.x and Java has to use XPCOM.

Testing is tough because unfortunately no existing plugin depends exclusively on NPAPI to get cookies, but how could they - it is totally broken. I looked into porting my test in bug 530980 to the 1.9.1 branch but the plugin testing framework on the 1.9.1 branch is far too immature.

The good news is that the patch here is super simple (could hardly be simpler), we know it works in 3.6 and it works with the npjp2 Java plugin.
Comment 28 Daniel Veditz [:dveditz] 2009-12-02 15:18:26 PST
Comment on attachment 414423 [details] [diff] [review]
fix v1.0

Approved for, a=dveditz for release-drivers
Comment 29 Josh Aas 2009-12-09 11:05:54 PST
pushed to mozilla-1.9.1
Comment 30 John P Baker 2009-12-16 00:59:44 PST
*** Bug 535089 has been marked as a duplicate of this bug. ***
Comment 31 Cyril Pawelko 2009-12-18 13:28:08 PST
*** Bug 532760 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.