Closed Bug 156725 Opened 22 years ago Closed 21 years ago

citibank.com - let you login, but after that any link report timeout

Categories

(Tech Evangelism Graveyard :: English US, defect, P1)

Product:
Tech Evangelism Graveyard
Component:
English US
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: vadim, Assigned: arun)

References

(
URL
)

Details

(Keywords: ecommerce, regression, topembed+, Whiteboard: [login required] [adt2] [ETA Needed])

Attachments

(2 files, 2 obsolete files)

Opera 6.05 Illegal Cookie Path for Citibank Login
38.94 KB, image/jpeg
Details
add check for # and ; -- still untested
2.11 KB, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a+) Gecko/20020708
BuildID:    2002070813

Citibank let you login, but after that any link report timeout.
Citibank works fine with 1.0 and 1.1alpha build

Reproducible: Always
Steps to Reproduce:
1. login to citibankonle
2. click on "Account Information"

Actual Results:  
------------------------------
We're sorry, but your access to this part of the site has timed out.

The site has been built to time out after a period of inactivity, to protect
your account information. 
------------------------------

Expected Results:  Account infomation

This worked fine with 1.0 and 1.1.alpha build.  It also worled fine with night
build at about 6/15/02 (sorry bon't have build #).  It still works fine with IE.
 This error appears in both my work and my home computers (both win2k, same
build ID).  I can add source of the pages, if needed.
I thinj that this is a duplicate of bug 85557
I don't think so.  bug 85557 says that javascript doesn't work at all.  Here is 
seems that there is a problem with cookies, or access to cookies.  My 
understanding is, that time information is stored in cookies.
Well, it has been resolved.

Citibank changes there webintephaze yestarday, and new one works.  There is
still be a problem with not displaying Account Page, but this is related to bug
85557.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Citibank went back to older design, and the problem exist again.
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---
Summary: Citibank let you login, but after that any link report timeout → citibank.com - let you login, but after that any link report timeout
Whiteboard: [login required]
This is happening to me on OS X, so it's not just a Windows-specific bug.
This was working again shortly after this bug report and then around the
27th/28th it started to timeout again, seems like some kind of regression in
Mozilla worked fine during 1.1 prep and freeze.  I'm using Windows XP and the
latest build of 083008.
Is anyone going to work on this, this is definitely a regression, to say the
least very annoying.  All my other ssl/javascript site work just fine, it's on
CitiBank's that derives a timeout immediately after loggin into the Direct
Access section.

Will anyone be working on this before 1.2 gets released, locked down for release?
This is not evangelism. -> browser
Component: US Banks → Cookies
Product: Tech Evangelism → Browser
Version: unspecified → other
Any luck with this, seems to be a similar dialog toward the end of this bug -->
85557.  This really cripples my Moz usage since I do all my banking online, thanks.
Not really sure how to get this higher in priority, but this definitely seems to
be a 1.2alpha regression.  Thanks.
*** Bug 169645 has been marked as a duplicate of this bug. ***
*** Bug 169715 has been marked as a duplicate of this bug. ***
-> default owner + a "few" keywords (note : i have no Account there)
Assignee: aruner → morse
Severity: normal → major
Keywords: ecommerce, mozilla1.2, regression
QA Contact: bclary → tever
Please treat this as a STOP SHIP bug for new US browser releases. Thanks.

Steve please work with Marina if you need to test logins.
Keywords: nsbeta1, topembed
Priority: -- → P1
Marking as topembed+/nsbeta1+ as this is a significant and visible regression of
a top banking site, from a previous release.
Keywords: nsbeta1, topembednsbeta1+, topembed+
Whiteboard: [login required] → [login required] [adt2] [ETA Needed]
Target Milestone: --- → mozilla1.2beta
Waiting for personal response from either marina or from jj with a login.
Thanks for the great response on this, just some more info in case it helps.

Every since the Moz 1.2 daily builds got opened up this error has come up, it
was there for a very short time with the 1.1 builds and then it went away.  I
think it was around August 24th-27th daily builds that this started happening,
in case that helps.

Now I have to resort to using either IE or NS 7 to login.  Thanks again.
Version 1.0.1 build 2002082606 works fine.
I've seen this using 7.0 RTM for a while, but not anymore. They must have fixed
it on their end in the past few days.

Something slightly related that I still see once a secure session has been
opened on citibank.com is that I get immediately kicked out (or timed out) if I
use the "back" button of the browser. In the past, navigation buttons never
worked, but they were simply refreshing the current page, without closing the
session.
(they have their own navigation bar on each page, which works)

for info, I'm running 7.0 RTM on MacOS X. Let me know if you'd like me to do
some specific testing on that site. You can also come by and see me for "live
testing" if you want.
At first I thought that this was a consequence of bringing our path-testing for
cookies in line with the RFC2109 spec.  See bug 155083 comment 18.  We knew we
were going to break some cites and we needed to find out which ones.

Indeed citibank is setting some cookies that it shouldn't be.  For example the
citibank host at

   https://web.da-us.citibank.com
          /cgi-bin/citifi/scripts/login/user_agreement.jsp

is attempting to set the following cookies:

   TPI=...; path=/ghs; domain=.da-us.citibank.com

   oatmeal=...; expires=Sat, 20-Sep-03 21:24:00 GMT;
   path=/signin; domain=.da-us.citibank.com"

   UAA=...; expires=Sat, 20-Sep-03 21:24:00 GMT;
   path=/signin; domain=.da-us.citibank.com"

   quicklink=...; expires=Sat, 20-Sep-03 21:24:00 GMT; path=/signin"

Note that each of the above cookies are for a path that the setting site does
not have access to.

However, I backed out the patch for 155083 but no luck.  The cookies were now
getting set but we still had the symptoms described in this report.

Still investigating.
Status: NEW → ASSIGNED
This one is proving extremely difficult to zero in on, due to the extremely
large number of cookies that this site is setting.  It would help if I had some
cooperation from the citibank technical people to find out which cookie they are
not liking.  I called them but they were less than cooperative (we don't have a
big enough market share).

I have found a few problem so far, but even with those corrected the site is
still not working.  What I have found is:

1. Site is setting cookie paths in violation of the cookie spec (see comment20).
2. We are confusing session cookies with expired cookies.  The fix for this is:

   in COOKIE_SetCookieStringFromHttp add the following:

    expires = cookie_ParseDate(date);
+   if (expires == 0) {
+     expires = 1; // avoid confusion with session cookies
+   }

Does this Ebay/Passport issue look like a dupe? bug 170396
If so please mark it. Thanks.
Steve we will try to get someone to work with you.
After some very tedious debugging, I finally found another problem with the
site.  Namely the site was setting a cookie as follows:

   cookie name = TPI
   path = /ghs

and then requests were made from the following sites:

   t9863624.da-us.citibank.com/ghs/PHP/?D=M&C=DC3&_dt=1032869276851
   t9863624.da-us.citibank.com/ghs?D=M&C=P

In the first case the path matches and the cookie should be sent.  It was.  In
the second case the path does not match (ghs is the file name and not the patyh)
and the cookie was not being sent.  But apparently the site was expecting that
the cookie be sent.  If I put in a band-aid and sent the cookie, everything
worked perfectly.

OK, now I have three band-aids to fix the three problems encountered.  And with
those band-aids everything works.  So now I have to determine which ones are the
crucial ones, remove the unnecessary band-aids, and get good patches for the
necessary ones.  This is the easy part -- the analysis was the hard part and
that is now completed.
Unfortunately citibank is getting upset with all the testing that I'm doing, and
they have deactivated the account I was using.  The person whose account it was
is unhappy about the inconvenience.

So I am no longer able to test this out.  I am attaching what I believe may
allow us to log onto the citibank site, but it is untested.  It has fixes for
all three of the problems I've identified.  I'm not sure that the timer problem
is really a problem, but without testing I'm not able to find out.

If someone can do some evangelism work here and get us a test account, that
would be terrific.
Attached patch Untested patch that might work (obsolete) — — Splinter Review 

    
    

    
  
I feel that commenting out the path check (the middle chunk) just means that we
open up sites and users to security/privacy issues forever.  If there's no
problem, the sites in question will never change their code -- there will be
absolutely no incentive to.  So "until these sites are evangelized" just means
"till either we or they are gone".... unfortunately, them being gone will not
help as other sites will use the broken syntax if all browsers support it....

    
    

    
  
As I said, patch is untested.  Eyeballing it, I see an error in the logic.  The
following if statement

   if (pathLen>cookiePathLen &&
       (path[cookiePathLen] != '/' || path[cookiePathLen] != '?')) {

should instead read

   if (pathLen>cookiePathLen &&
       path[cookiePathLen] != '/' && path[cookiePathLen] != '?') {

That would explain why the final test that I ran before I lost the account I was
using didn't work.

    
    

    
  
Boris, I agree completely.  Unfortunately citibank is probably too important a
customer, so if they don't cooperate with our evangelist, we will have to back
out the patch.  I'm just being a realist.

If it was just nordea, I would say leave the test in and apply pressure on them
to change.

    
    

    
  
cc'ing Mitch.  He probably should have been cc'ed on this earlier.

    
    

    
  
I'm extremely reluctant to evangelize something that looks outwardly like a
regression, no matter how emphatically one can argue the correctness of that
regression.
  
Secondly, is testing on Citibank servers an absolute necessity?  Isn't it
possible to create a local test case that sets cookies in the same way?  I'm
sure the "disabled" account will be active again shortly.  Testing a live
banking site as we QA a fix is really not wise.

There's no agenda for evangelism here -- I'm *not keen* to pull hairs with
Citibank over something that once worked.  Let's just do the fix.

    
    

    
  
Arun, the issue is that "the fix" reopens a security hole that we closed up. 
I'm not exactly keen on breaking citibank either, but in this case the behavior
their site currently expects puts the user of any browser that implements it at
risk of cookies being sent to people who have no business being able to get at
them.  

It's not a correctness issue as much as a matter of how much we're willing to
compromise our users' privacy and security over the entire scope of the web
because of a single web site (citibank).

If we were sending the citibank cookies to another banking site's server, they
would be up in arms about it.  Yet that is the behavior they want us to
implement, effectively.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix problem in comment 28.  Still untested. (obsolete)
        — 
          — Splinter Review
      

    


  

        Attachment #100461 -
        Attachment is obsolete: true

    
    

    
  
> Secondly, is testing on Citibank servers an absolute necessity?  Isn't it
> possible to create a local test case that sets cookies in the same way?  I'm
> sure the "disabled" account will be active again shortly.  Testing a live
> banking site as we QA a fix is really not wise.

No.  We never can be sure that we are duplicating the cookies exactly (there are
over 20 cookies involved) and they are used in a variety of ways.  Such testing
could be used as a starting point but the final test still has to be run on the
citibank site.  And I'm up to the final tests.

Yes the disabled account will go live again, but it was disabled a second time.
 And the person whose account it was is now less than happy to have me keep
experimenting with her account.

I agree that testing a live account is not wise.  That's why I asked if an
evangelist can get them to give us a test account.


    
    

    
  
Arun: Note that Steve found three different problems among the 20 or so cookies
they set, and that it took considerable investigation to weed out which ones
were causing the rejection. In this situation diagnosing the problem with the
site itself is critical, just as evangelism often needs to pore over the actual
web pages and stylesheets of a broken site to discover the problem, with the
huge disadvantage that the cookies can't be captured locally just once and
replayed over and over the way a web page can.

bz: Steve is proposing we reopen bug 155083 which is about *setting* cookies
with the wrong path, not reading them. The host is still checked, too. The page
could always set path to "/" and get the cookie accepted and readable by the
other page so loosening this restriction doesn't cause any privacy leaks. It
does potentially allow one page on a host to confuse another page on that same
host if the second page trusted the cookie path.

Steve: by "untested" you mean against citibank? You've tested the code in
general I assume.

    
    

    
  
Comment on attachment 100471 [details] [diff] [review]
Fix problem in comment 28.  Still untested.

sr=dveditz if you reopen bug 155083

        Attachment #100471 -
        Flags: superreview+

    
    

    
  
Comment on attachment 100471 [details] [diff] [review]
Fix problem in comment 28.  Still untested.

>+      if (pathLen>cookiePathLen && path[cookiePathLen] != '/' && path[cookiePathLen] != '?') {

What about ';' and '#' -- Should you check for those too? Or wait and see if
sites break first?

    
    

    
  
How about getting something into the daily builds and letting us (users) test
Citibank.  I'll be glad to test or run a sniff/capture with some guidance.

Question 1: Why doesn't this break with other browsers like IE?  Is it open to
this security hole?  I've used all version and still haven't hit this issue.

Question 2: As crazy as this sounds I used Opera 6.05 on WinXP and it prompted 3
times because the cookie path wasn't set "legally" (I'll attach a snapshot). 
The key thing is that I refused all three, but I was able to get through, of
course it didn't remember my username etc. but it still didn't time out and it
had a very nice warning unlike IE, NS nor Moz.

Question 3: Why doesn't someone publicize this "bug" if it exists in other
browsers or major sites, I'm assuming this will eventually get into a build of
NS and since Moz and NS are such scrutinized projects, someone will notice
either the fact that we don't display an error or that the sites don't work.

Stupid Question 1: Being ignorant to the specifics of the Cookies or SSL RFC's
is there a difference in cookie path checking between standard http and secure
mode?  I'm somewhat familiar with the general cookies valiation rules but I was
just wondering, thanks.

And thanks again for the attention to this little booger.

    
    

    
  


  
This is one of the cookie dialogs that popped up when signing onto Citibank.  I
found this feature very interesting and useful.

    
    

    
  
> Steve: by "untested" you mean against citibank? You've tested the code in
> general I assume.

Correct.

> What about ';' and '#' -- Should you check for those too? Or wait and see if
> sites break first?

When would these occur, what would they mean?  And can you have a semicolon? 
The syntax for the set-cookie header would have:

    set-cookie: a=b; path=xyz; domain=...

so a semicolon would end the path and could not be part of it.

> How about getting something into the daily builds and letting us (users) test
> Citibank.  I'll be glad to test or run a sniff/capture with some guidance.

By doing that you would be testing for sufficiency but not for necessity.  For
example, I'm not sure if the expire change is really necessary because there was
some confusion in the early tests that I ran.  If I could run the test myself,
then I could determine immediately which parts of the patch are really necessary.

> Why doesn't this break with other browsers like IE?  Is it open to this
> security hole?

That is correct.

> is there a difference in cookie path checking between standard http and secure
> mode? 

No.  The secure attribute on the set-cookie header means that the cookie will
not be sent back unless there is a secure (https) channel.



    
    

    
  
I meant check for '#' and ';' in the URL as you do for '?' since they are
similar special characters that can terminate the file part of the URL.

    
  

        Attachment #100471 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 100673 [details] [diff] [review]
add check for # and ; -- still untested

r=dveditz (carrying forward)

        Attachment #100673 -
        Flags: superreview+

    
    

    
  
My inclination is to check in the part of the patch dealing with the expire time
and with the getting of cookies (if file name equals path name).   However the
part of the patch that deals with the violation of the cookie spec (setting of
cookies for path not owned by server) should be left for evangelism. 

    
    

    
  
Looking for an r=.  Any takers?

    
    

    
  
Comment on attachment 100673 [details] [diff] [review]
add check for # and ; -- still untested

Looks OK to me.
r=mstoltz.

It's up to you about the path-check issue - I agree that we should evangelize
it.

        Attachment #100673 -
        Flags: review+

    
    

    
  
OK, I checked in the other two parts of the patch (expires time, strange use of
path when sending cookies) but did not check in the setting of cookies that
violate the path test.

Will now leave this as an evangelism issue.  Please get citibank to modify their
site so that they do not set cookies with a path attribute on a path that the
current site does not have authority for.

Reassigning to evangelism.
Assignee: morse → aruner
Status: ASSIGNED → NEW
Component: Cookies → US Banks
Product: Browser → Tech Evangelism
QA Contact: tever → bclary
Target Milestone: mozilla1.2beta → ---
Version: other → unspecified

    
    

    
  
OK, thanks Boris, Mitch, Dan, Stephen et al. for explaining this.  However, one
area is still unclear, and I'm looking for a security assessment.  In Comment
32, bz says that you can send cookies from one banking site to another banking
site's server:

"If we were sending the citibank cookies to another banking site's server, they
would be up in arms about it.  Yet that is the behavior they want us to
implement, effectively."

But I thought this was merely about paths within a given host or domain getting
confused, not about a completely cross-domain cookie sharing violation!  In
fact, dveditz suggests in Comment 35 that the *worst that can happen* is that
you can potentially confuse paths within a given host:

"It does potentially allow one page on a host to confuse another page on that
same host if the second page trusted the cookie path."

Now can someone scare the pants off me with a scenario that brings it all home?
Don't misunderstand me -- I'm *against* RFC violations (as morse mentions in
Comment 20 and Comment 21) but I'd really like a solid story if I'm going to
phone a major international bank and tell them that something's not absolutely
kosher.  The good news is -- if evangelism becomes an absolute necessity, then
the story going forward is really that no Netscape release currently in
circulation (N7 RTM, even Blackbird) will break, but that future browsers won't
be as tolerant of this flaw for their user-base's sake.

    
    

    
  
Arun, there's this unspoken assumption that all paths on a single hostname are
friendly and care about each other.  This is simply not the case in the real
world; eg with any university's website.  I'm not saying that we'd be sending
one bank's cookies to another.  I'm saying we would be doing the equivalent.

I'm afraid I can't scare the heck out of you.  It's not a "lose your life or
freedom" type thing; just a privacy/security violation that could lead to acute
embarrasment (and people getting access to information that they should not have
access to; the implications of this last could, of course, be anything).

    
    

    
  
In Comment 49 , bz raises the classic "GeoCities" scenario which is that
different paths on a consistent host/domain don't necessarily mean that every
path is friendly to every other path.  I acknowledge this, and think Mel Reyes
attachment in Comment 39 is a happy compromise.  I'm not scared out of my wits;
I think I'm going to seek advice on whether to evangelize or not from many
different sources.

    
    

    
  
I agree that putting control over this in the hands of the user may be a decent
compromise. Note that I specifically avoided mentioning geocities because imo
people tend to blow off geocities as "who cares about them".  The problem is,
many other much more serious sites are also affected by the same scenario...

    
    

    
  
Patch for bug 155083 has been backed out.  This site should now be working
Status: NEW → ASSIGNED

    
    

    
  
win32 trunkbuild 2002100208 still has problem -- waiting for new build.

    
    

    
  
win32 2002100308 build now working again

    
    

    
  
Citibank finaly seems to implement new website (it was on/off for last few
month).  On new website, timeout is not a problem, but information (i.e. list of
charges, payments etc.) doesn't show up, and it doesn't display any errors. 
Balances shows up just fine.

    
    

    
  
So far WFM with 2002100710 on 2K-pro

    
    

    
  
Just tested new citi website with 2002100804 build.  Works fine for me.  Once I
got a mozilla crush, but I am not sure it was related (Talkback TB12256689W).  I
had another 8 tabs open. 

As a site note, latest builds are fast, but citibank website is significantly
slower than IE 6.1.

    
    

    
  
confirming. I've tested their new site this weekend, checking balances, making
payments & transfers, and no problems encountered using NS7 on MacOS X. No
timeout when using the browser back/forward buttons either!

Congrats to all for the excellent evangelism work. It worked!

    
    

    
  
The site wasn't evangelized, at least not that I know of.  Instead we relaxed
our cookie checking, even though we were doing what the standard called for, and
backed out the patch in bug 155083.  That's what fixed things.

So much for standards. :-(

    
    

    
  
I'd like to report that the citibank site works for me with the latest nightly
mozilla, and with mozilla 1.1 and earlier, but not with 1.2alpha.  Thanks for
getting it working, and I'm alarmed at the nature of the comments about
Citibank's cookie handling etc and have submitted a consumer feedback form to
Citibank pointing them to this page and expressing concern about their security.
Depends on: 85557
Keywords: evang500

    
    

    
  
Sent mail to Arun asking could you please take a look at bug and update
accordingly.  Said it looks to me like you might be able to close the bug, but
if you are not able to do that could you please target a Mozilla milestone? 
This bug is currently untargeted.

    
    

    
  
Now technically, this bug can be closed because there's no longer an evangelism
issue here.  Morse backed the patch out; without the patch, things should work
as they were before.  
I can close this bug, but I think that I ought to first seek dveditz's approval,
since he was one of forces behind the backing out of the patch.  Dan, can we lay
this issue to rest?

    
    

    
  
Arun, assuming you can get dvedtiz approval, please close this.

    
    

    
  
Arun,
If you are referring to me, I would say put it to rest.  I have not had a 
problem with CitiBank for a while now.

Thanks,
Dan

    
    

    
  
closing
Status: ASSIGNED → RESOLVED
Closed: 22 years ago21 years ago
Resolution: --- → FIXED

    
    

    
  
verifying per comments
Status: RESOLVED → VERIFIED

    
    

    
  
Moving to new component
Component: US Banks → English US

    
    

    
  
Why moving? It's fixed.  2003061108 win32 WFM

    
    

    
  
You can remove only a component in bugzilla if there is no bug in the component..

Product: Tech Evangelism → Tech Evangelism Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: