Closed Bug 660624 Opened 14 years ago Closed 5 years ago

cookieBehavior set to 1 blocks first-party cookies

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: firefox, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 This was tested with Firefox 4.0.1 under Windows XP, Linux Ubuntu, Mac OS. Given that the browser has this configuration: network.cookie.cookieBehavior = 1 --> Only cookies from the originating server are allowed. Redirection via an autosubmit from a different site to our site causes a session expiration page because the session cookie is not submitted. Reproducible: Always Steps to Reproduce: 1. Open www.lidl.de in Firefox 4.0.1 in any OS. 2. Start the checkout and in the payment page, choose credit card. 3. Click Cancel. Actual Results: When the user is brought back to the shop, it sees the session expiration page because the session cookie (and all other www.lidl.de cookies) were not received by the server. Expected Results: It should not see the session expiration page because there is a valid session. The problem is that cookies were not sent by the browser. Evidently from the http logs and browser tools like Tamper Data, all cookies were not sent by the browser to lidl.de during this autosubmit redirection and so the server was not able to attach a session. It should be sent by the browser because it is the assigned session cookie which is a first-party cookie. It is not a session issue on the server because clicks after this reveals that the Cookie is passed again and the session is valid again. In this payment page, it is an iframe embedding the payment providers window. When the authentication and authorization is successful, it redirects the user to the shop. This means the referrer is the payment provider. At which point, Cookies are not provided in the request. We've tried in Firefox 3.5, 3.6, Chrome, IE7 and IE8 and it works even if the option "Disable third-party cookies" is checked.
Probably an important piece of info is that this is happening within an iframe.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.