Closed Bug 950399 Opened 11 years ago Closed 9 years ago

FF26: Loses cookie settings for facebook and youtube after startup, need to re-login

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
26 Branch
Type:
defect
Priority:
Not set
Severity:
normal
Points:
5

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 38
Iteration:
38.1 - 26 Jan
Tracking Flags:
Tracking Status
firefox28 --- wontfix
firefox35 --- wontfix
firefox36 --- verified
firefox37 --- verified
firefox38 + verified
relnote-firefox --- 36+

People

(Reporter: banakon, Assigned: ttaubert)

References

Details

(Keywords: regression, reproducible, Whiteboard: [STR in comment 53])

Attachments

(2 files, 1 obsolete file)

0001-Bug-950399-SessionStore-shouldn-t-forget-domain-cook.patch, v2
3.72 KB, patch
Yoric
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
0002-Bug-950399-Tests-for-domain-cookies.patch
8.13 KB, patch
Yoric
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

as since 5 years, I open FF26 with Fb and youtube tabs of the restored session.


Actual results:

starting with ff26 (ok with ff25 and previous!!) I am not logged in into facebook and youtube.


Expected results:

always logged in even after FF shoutdown.
its very very annoying to reset manually all the youtube personal settings that are lost by closing ff : reset the country, the size of the player the annotation on the video...
this happened exactly after switching to ff26.
a new way to handle Delete cookies at FF shoutdown?
but I tried unchecking Delete cookie too.
(except of the sessions well restored) this behaviour is the same as when I check Delete browsing history.
I cannot use FF26, its annoying to lose one minute to restore youtube settings every FF startup.
the same with facebook.
Summary: FF26: cookie issues with Fb and YT → FF26: Loses cookie settings for Fb and YT after startup, need to re-login
I read that Mozilla will be closed for Xmas holiday until january.
please tell me if I have to add some useful infos for troubleshooting the issue. thanks.
do you have ccleaner installed?


(In reply to banakon from comment #3)
> re-up.

please don't do this
Flags: needinfo?(banakon)
Whiteboard: [closeme 2014-02-01]
thanks for investigating further. its very annoying having to relog at firefox startup.
cclenaer: not available here. never used.

I will see what happens on the 4th febrauary, upgrading to ff27, bevause this issue appeared exactly after updating to ff26. 

the strange: not only relog-in is needed, but all the personal YT settings too: video window size, country...
no matter if I clear or leave untouched the cache cookie settings. very very strange.

ok about the re-up, sorry ;)
Flags: needinfo?(banakon)
(I wrote to mozilla forums: english, italian, german, mozillazine. No reply. :(
(In reply to banakon from comment #5)
> I will see what happens on the 4th febrauary, upgrading to ff27, bevause
> this issue appeared exactly after updating to ff26. 
And?
Flags: needinfo?(banakon)
Whiteboard: [closeme 2014-02-01] → [closeme 2014-03-01]
still the problem with ff27 too.
I have to login into FB and YT every time I open firefox!
Flags: needinfo?(banakon)
Whiteboard: [closeme 2014-03-01]
perhaps a new behaviour of google and facebook?
there are other people which need to re-login? FF deletes the needed cookies when closing, even if I set it to Dont delete cache e coockies when closing.
Are you sure it lost them?
Check in Tools | options | security | Saved passwords
Flags: needinfo?(banakon)
Summary: FF26: Loses cookie settings for Fb and YT after startup, need to re-login → FF26: Loses cookie settings for facebook and youtube after startup, need to re-login
the password are saved. no problem. 
the issue: I have to re-login at ff startup.
Until FF25 I did not need to re-login into FB and YT.

this is my problem. not only re-login but all the YT personal settings are not saved. I have to resize the yt screen (expanded window), I have to reset the Annotations behaviour, as explained above.
At every FF startup.

This is the normal behaviour ONLY if I set FF to Delete cache cookies history!

what to do?
Flags: needinfo?(banakon)
Even if I add plus.google.com, facebook.com, apis.google.com....as exceptions in the Option window, I have to relogin. this is the bad.
This applies to FF27 and FF28 as well, and to gmail.com / mail.google.com

Comparing the raw data, from FF25 and FF27/28, found on the about:support internal web page didn't show an obvious cause.

Settings:
privacy.donottrackheader.enabled;false
privacy.donottrackheader.value;1
network.cookie.alwaysAcceptSessionCookies;false
network.cookie.cookieBehavior;1
network.cookie.prefsMigrated;true
network.cookie.thirdparty.sessionOnly;false
status-firefox28: --- → ?
Anyone who can reproduce this (I can't), could you try to find the regression range?
Nightly builds are available from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/
and based on https://wiki.mozilla.org/RapidRelease/Calendar
nightlies were FF26 between 2013-08-05 and 2013-09-16
status-firefox28: ?affected
I have tried reproducing this on linux with gmail and facebook, no luck.
WFM, Firefox28 keeps login to Facebook, gmail, YouTube after restore previous session. 

https://hg.mozilla.org/releases/mozilla-release/rev/5f7c149b07ba
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20140314220517
I am able to reproduce always.
restoring the previous session, I have to re-login (into FB, YT, I dont have gmail). ff28 too. Issues started with ff26, as said.
The last build I was able to reproduce this with was (hyperlink): https://hg.mozilla.org/mozilla-central/rev/e84a391b604b

Also I created a new, fresh, profile with that nightly. The settings at the Tools > Options menu let you configure these tunables:

app.update.auto;false
app.update.enabled;false
browser.startup.page;3
network.cookie.cookieBehavior;1
network.cookie.lifetimePolicy;1
network.cookie.prefsMigrated;true
network.cookie.alwaysAcceptSessionCookies;false
signon.rememberSignons;false
(In reply to Olli Pettay [:smaug] from comment #15)
> I have tried reproducing this on linux with gmail and facebook, no luck.

Did you change any settings at Tools > Options > Privacy? As mentioned earlier, on ff25 this

browser.startup.page;3
network.cookie.cookieBehavior;1
network.cookie.lifetimePolicy;1
network.cookie.alwaysAcceptSessionCookies;false
signon.rememberSignons;false

did keep $cookie.

Ironically, newer builds seem to wipe the bugzilla cookie too.

Regression range: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3c61cc01a3b1&tochange=a8daa428ccbc
(In reply to Wayne Mery (:wsmwk) from comment #10)
> Are you sure it lost them?
> Check in Tools | options | security | Saved passwords

That is the first thing I disable, and that does not seem related to this bug.
(In reply to vidwer+mozbugzilla from comment #19)
> The last build I was able to reproduce this with was (hyperlink):
> https://hg.mozilla.org/mozilla-central/rev/e84a391b604b
For completenes, this is a known good build: http://hg.mozilla.org/mozilla-central/rev/3c61cc01a3b1
and known buggy build (with the settings from comment #19 applied) is http://hg.mozilla.org/mozilla-central/rev/a8daa428ccbc
(In reply to vidwer+mozbugzilla from comment #23)
> This bug was introduced by
> http://hg.mozilla.org/mozilla-central/rev/4a4cef561232

That would be Bug 903398.

setting network.cookie.lifetimePolicy;1 (in UI: "Keep until: ask me every time") causes a dialog with several choices to appear.
What do you choose there?
If you reset that one and keep the others is the Issue reproducible?
Component: Untriaged → Session Restore
Keywords: regressionwindow-wanted
(In reply to XtC4UaLL [:xtc4uall] from comment #24)
> (In reply to vidwer+mozbugzilla from comment #23)
> > This bug was introduced by
> > http://hg.mozilla.org/mozilla-central/rev/4a4cef561232
> 
> That would be Bug 903398.
> 
> setting network.cookie.lifetimePolicy;1 (in UI: "Keep until: ask me every
> time") causes a dialog with several choices to appear.
> What do you choose there?

"Allow for Session" with the checkbox "Use my choice for all cookies from this site" tiecked.

> If you reset that one and keep the others is the Issue reproducible?

Yes, the (mis)behaviour is identical.
I can't reproduce this. If I chose "keep me logged in" when logging into Facebook I'm indeed logged in when restarting the browser with automatic sessionrestore enabled. Does this issue exist in safe-mode with all add-ons disabled?
yes.
Do you have any other non-default settings that might impact our cookie behavior?
as said, with ff "until 25" I remain logged in even if I set Delete cookie e cache at ff shoutdown, starting with ff26 even if I UNcheck these boxes I am unlogged at ff startup.

I dont changed the coockie bahavior (always *delete* cache cookie when closing ff), now after this issue I unchecked the boxes. no other changes about the cookies.
the bad: not only I need to relogin into both FB and YT, but I need to re-set all my personal settings in youtube: windows size, annotations....at each ff startup.
but the people above were able to reproduce this issue right?
(In reply to Tim Taubert [:ttaubert] from comment #28)
> Do you have any other non-default settings that might impact our cookie
> behavior?

From about:support, as requested on IRC:

Important Modified Preferences
Name 	Value accessibility.typeaheadfind	true
browser.cache.disk.capacity	358400
browser.cache.disk.smart_size_cached_value	358400
browser.cache.disk.smart_size.first_run	false
browser.cache.disk.smart_size.use_old_max	false
browser.places.smartBookmarksVersion	6
browser.sessionstore.upgradeBackup.latestBuildID	20140328231750
browser.startup.homepage_override.buildID	20140328231750
browser.startup.homepage_override.mstone	26.0a1
dom.mozApps.used	true
extensions.lastAppVersion	26.0a1
network.cookie.cookieBehavior	1
network.cookie.lifetimePolicy	1
network.cookie.prefsMigrated	true
places.database.lastMaintenance	1396027814
places.history.expiration.transient_current_max_pages	104858
plugin.disable_full_page_plugin_for_types	application/pdf
plugin.importedState	true
privacy.sanitize.migrateFx3Prefs	true
storage.vacuum.last.index	1
storage.vacuum.last.places.sqlite	1396027733
(In reply to Tim Taubert [:ttaubert] from comment #26)
> I can't reproduce this. If I chose "keep me logged in" when logging into
> Facebook I'm indeed logged in when restarting the browser with automatic
> sessionrestore enabled. Does this issue exist in safe-mode with all add-ons
> disabled?

I haven't tried safe mode, but there are no add-ons installed in the (disposable) profile I'm using.
I had something like this happen yesterday. iirc I changed no settings prior to restart. There might have been addon updates - unsure
(wrong bug - I meant bug 936568)
is this bug closed?
Flags: firefox-backlog+
Keywords: qawanted
(In reply to banakon from comment #35)
> is this bug closed?

No, it's not closed. We are still investigating and need a reliable STR to confirm this issue.
a question for the experts:
may this bug be related to another bug started by me, like this one?
https://bugzilla.mozilla.org/show_bug.cgi?id=992658

thanks.
may be related with the surprire from today??
https://bugzilla.mozilla.org/show_bug.cgi?id=1015579
may be related with the surprise from today??
https://bugzilla.mozilla.org/show_bug.cgi?id=1015579
after 5 months is this bug still "unconfirmed"?
(In reply to banakon from comment #40)
> after 5 months is this bug still "unconfirmed"?

Yes, because we still have no way to reproduce this issue. It seems to only affect a tiny number of people.
does this means that the user are already logged in at ff restart?
is this case it were useful investigatin the configuration/setting of the user which are still logged in whaen restarting ff.
banakon: Please stop spamming the same URL three times in a row here.  You create bugmail that people need to read and this behavior is counter-productive in case you try to get attention.
Andre Klapper see please my previous replies, in other 3d too, to understand the reasons of my behaviour (only on certain 3d). thanks for reading and thinking.
if you could or want to explain better why you dont reply nor resolve my issues, then I will understand better.
as said in the repply today:
I respect you and your time, but you HAVE to respect me and my time dedicated in expaining my issues to get a better firefox (not only for me). thanks.
Please provide steps to be able to reproduce this, and verify if it happens on latest Firefox.
Thank you.
Keywords: qawantedsteps-wanted
(In reply to Juest Zungo from comment #48)
> Please provide steps to be able to reproduce this

Using the cursor:

Privacy ->
[x] Accept cookies from sites
    Accept third-party cookies: Never
    Keep until: ask me every time

Using about:config
network.cookie.cookieBehavior;1
network.cookie.lifetimePolicy;1

> and verify if it happens on latest Firefox.

This happens on firefox 32.0.2
(In reply to Juest Zungo from comment #48)
> Please provide steps to be able to reproduce this, and verify if it happens
> on latest Firefox.
> Thank you.

Configure the profile to use the settings mentioned in this comment: https://bugzilla.mozilla.org/show_bug.cgi?id=950399#c49

Then log in to gmail.com if you use gmail/other google services.
The behaviour also occurs in nightly build 38.0a1.
[Tracking Requested - why for this release]:

Thanks very much for re-testing this, vidwer!
Status: UNCONFIRMED → NEW
status-firefox38: --- → affected
tracking-firefox38: --- → ?
Ever confirmed: true
STR:

1) Install "Restartless Restart" extension
2) Enable "Show my windows and tabs from last time"
2) Log into Facebook (with "keep me signed in" = true)
3) Hit "File > Restart" to restart the browser

Expected:

Should show your Facebook stream.

Actual:

You've been logged out of Facebook.

Regression range:

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8a62355ea26&tochange=a8daa428ccbc
Blocks: 903398
Keywords: steps-wantedreproducible
Whiteboard: [STR in comment 53]
OS: Windows Vista → All
Hardware: x86 → All
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Iteration: --- → 38.1 - 26 Jan
Points: --- → 5
Flags: qe-verify+
Testing this shouldn't be hard but it'll probably take me some time to write the test.
Attachment #8549515 - Flags: review?(dteller)
The summary here is that I didn't know about nsICookie.host's behavior wrt to domain cookies:

http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path

If no domain= parameter is given then the cookie will be sent again only for the request host. No subdomains or parent domains.

If a domain= parameter is given then that means that nsICookie.host will give back a host string with a leading dot. In that case we will send the cookie for any subdomains of the given domain.

Facebook sends its cookies with domain=.facebook.com so we'll send them for all their subdomains. getCookiesForHosts() did not find anything for "www.facebook.com" and so we ended up discarding those.
Yay for tests. Turns out we need to collect cookies for "domain=.facebook.com" as well when we have tabs with "facebook.com" loaded. So it's basically the domain including any subdomains.
Attachment #8549515 - Attachment is obsolete: true
Attachment #8549515 - Flags: review?(dteller)
Attachment #8549560 - Flags: review?(dteller)
Comment on attachment 8549592 [details] [diff] [review]
0002-Bug-950399-Tests-for-domain-cookies.patch

Review of attachment 8549592 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/sessionstore/test/browser_cookies.js
@@ +42,5 @@
> +  yield testCookieCollection({
> +    uri: "http://example.com" + PATH + "browser_cookies.sjs?domain=example.com",
> +    cookieHost: ".example.com",
> +    cookieURIs: ["http://example.com" + PATH, "http://www.example.com/" + PATH],
> +    noCookieURIs: ["about:robots"]

Where does this "about:robots" come from?

@@ +89,5 @@
> +  // Wait for the browser to load and the cookie to be set.
> +  yield Promise.all([
> +    waitForNewCookie(),
> +    replaceCurrentURI(browser, params.uri)
> +  ]);

Nit: That's actually less clear than `yield waitForNewCookie(); yield replaceCurrentURI(browser, param.uri)`.

@@ +100,5 @@
> +    let cookie = getCookie();
> +    is(cookie.host, params.cookieHost, "cookie host is correct");
> +    is(cookie.path, PATH, "cookie path is correct");
> +    is(cookie.name, "foobar", "cookie name is correct");
> +    is(cookie.value, "1", "cookie value is correct");

Nit: Shouldn't we randomize this value, just to be on the safe side.

::: browser/components/sessionstore/test/browser_cookies.sjs
@@ +5,5 @@
> +
> +function handleRequest(req, resp) {
> +  resp.setStatusLine(req.httpVersion, 200);
> +
> +  let matches = req.queryString.match(/^domain=([^=&]+)/);

Nit: If you can use `URL` and `URLSearchParams`, this might be a bit simpler to read.
Attachment #8549592 - Flags: review?(dteller) → review+
Comment on attachment 8549560 [details] [diff] [review]
0001-Bug-950399-SessionStore-shouldn-t-forget-domain-cook.patch, v2

Review of attachment 8549560 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/sessionstore/SessionCookies.jsm
@@ +268,5 @@
> + *     http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path
> + *
> + * The Set-Cookie header allows passing a domain= attribute. nsICookie will
> + * signal that this optional attribute was given by prepending a dot to
> + * nsICookie.host.

Could you clarify a bit the documentation? There is no apparent relationship between the start and the end of the comment.

@@ +333,2 @@
>      let cookies = [];
> +    let hosts = this._hosts;

Nit: Why not use a fat arrow and `this._hosts`?

@@ +352,5 @@
> +    // Try to find cookies for subdomains, e.g. <.example.com>.
> +    // We will find those variants with a leading dot in the map if the
> +    // Set-Cookie header had a domain= attribute, i.e. the cookie will be
> +    // stored for a parent domain and we send it for any subdomain.
> +    for (let variant of getPossibleSubdomainVariants(host)) {

I believe that `for (let variant of [host, ...getPossibleSubdomainVariants(host)])` would let you avoid the local function. Your call.
Attachment #8549560 - Flags: review?(dteller) → review+
(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #59)
> > +  yield testCookieCollection({
> > +    uri: "http://example.com" + PATH + "browser_cookies.sjs?domain=example.com",
> > +    cookieHost: ".example.com",
> > +    cookieURIs: ["http://example.com" + PATH, "http://www.example.com/" + PATH],
> > +    noCookieURIs: ["about:robots"]
> 
> Where does this "about:robots" come from?

Just a random internal page that should make use throw away the cookie. Any .example.com shistory entry would keep the cookie, so it doesn't really matter which page we use here. 

> > +  // Wait for the browser to load and the cookie to be set.
> > +  yield Promise.all([
> > +    waitForNewCookie(),
> > +    replaceCurrentURI(browser, params.uri)
> > +  ]);
> 
> Nit: That's actually less clear than `yield waitForNewCookie(); yield
> replaceCurrentURI(browser, param.uri)`.

The problem here is that I think we shouldn't rely on the browser being loaded before the cookie is set, or the other way around. That's way I used Promise.all() to wait for those in parallel. I modified the comment above to make that clear.

> > +    is(cookie.value, "1", "cookie value is correct");
> 
> Nit: Shouldn't we randomize this value, just to be on the safe side.

Sure, let's do that.

> > +  let matches = req.queryString.match(/^domain=([^=&]+)/);
> 
> Nit: If you can use `URL` and `URLSearchParams`, this might be a bit simpler
> to read.

Great idea, will do.
(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #60)
> > + *     http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path
> > + *
> > + * The Set-Cookie header allows passing a domain= attribute. nsICookie will
> > + * signal that this optional attribute was given by prepending a dot to
> > + * nsICookie.host.
> 
> Could you clarify a bit the documentation? There is no apparent relationship
> between the start and the end of the comment.

Will do.

> @@ +333,2 @@
> >      let cookies = [];
> > +    let hosts = this._hosts;
> 
> Nit: Why not use a fat arrow and `this._hosts`?

No specific reason, decided against it in that moment. But we can totally do that.

> > +    for (let variant of getPossibleSubdomainVariants(host)) {
> 
> I believe that `for (let variant of [host,
> ...getPossibleSubdomainVariants(host)])` would let you avoid the local
> function. Your call.

Fancy idea, will do.
https://hg.mozilla.org/mozilla-central/rev/17b3a6d3ee1a
https://hg.mozilla.org/mozilla-central/rev/def4cd55d1f9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 38
Comment on attachment 8549560 [details] [diff] [review]
0001-Bug-950399-SessionStore-shouldn-t-forget-domain-cook.patch, v2

Approval Request Comment
[Feature/regressing bug #]: bug 903398
[User impact if declined]: Facebook, Google, and other domain cookies will be ignored by sessionstore. When quitting&starting or restarting the browser users will have to log in again.
[Describe test coverage new/current, TBPL]: Adds a whole bunch of new tests.
[Risks and why]: The risk here is quite low. The code changes are minor and we added several tests that should have existed before to increase the probability that we got it right.
[String/UUID change made/needed]: None.
Attachment #8549560 - Flags: approval-mozilla-beta?
Attachment #8549560 - Flags: approval-mozilla-aurora?
Tim, make senses to relnote it?

Release Note Request (optional, but appreciated)
[Why is this notable]: Long standing bug
[Suggested wording]: Fix some unexpected logout from Facebook or Google
[Links (documentation, blog post, etc)]: None
relnote-firefox: --- → ?
Flags: needinfo?(ttaubert)
Attachment #8549560 - Flags: approval-mozilla-beta?
Attachment #8549560 - Flags: approval-mozilla-beta+
Attachment #8549560 - Flags: approval-mozilla-aurora?
Attachment #8549560 - Flags: approval-mozilla-aurora+
(In reply to Sylvestre Ledru [:sylvestre] from comment #66)
> Tim, make senses to relnote it?

Yeah, no objection here as some people might have noticed/wondered.
Flags: needinfo?(ttaubert)
Thanks. Added to the relnotes with "Fix some unexpected logout from Facebook or Google after restart" as wording
relnote-firefox: ?36+
QA Contact: cornel.ionce
Verified fixed on Windows 7 64-bit, Ubuntu 14.04 32-bit and Mac OS X 10.9.5 with the STR from comment 53 (and also with gmail and yahoo mail) using:
- latest Nightly, build ID: 20150120030203
- latest Aurora, build ID: 20150121004011
- Firefox 36 beta 2, build ID: 20150120155007
Status: RESOLVED → VERIFIED
status-firefox36: fixedverified
status-firefox37: fixedverified
status-firefox38: fixedverified
Keywords: qawanted
See Also: → 1015579
See Also: → 1291279
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: