Closed
Bug 375488
Opened 18 years ago
Closed 18 years ago
HttpOnly Cookies broken (exchanged httponly and secure)
Categories
(Core :: Networking: Cookies, defect)
Core
Networking: Cookies
Tracking
()
RESOLVED
FIXED
People
(Reporter: ronny.perinke, Assigned: ronny.perinke)
References
()
Details
(Keywords: regression)
Attachments
(1 file)
(deleted),
patch
|
mkaply
:
review+
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9a4pre) Gecko/20070327 Firefox/3.0a4pre (Sephiroth/SSE2)
Build Identifier:
If a httponly-cookie or even a normal cookie is read from cookies.txt, it's isSecure and httponly-state is exchanged. httponly becomes to isSecure and vice versa.
Thus, httponly-cookies are not send through a non-secure http-connection and will be stored incorrectly again in cookies.txt
Reproducible: Always
Steps to Reproduce:
1. login to a forum using vBulletin >= 3.6.1 and check "remember login"
2. quit browser and do not delete the login cookies (userid and password)
3. start browser and visit the forum
Actual Results:
not logged in anymore
Expected Results:
automatically logged in again
bug #178993 comment #119
> something went wrong, the cookies are not send back or so.
>
> bug #315699 comment #32
> > I can consistently encounter this bug using build Mozilla/5.0 (Windows; U;
> > Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre, on the
> > site http://forums.beyondunreal.com, which uses vBulletin Version 3.6.5.
> >
> vBulletin uses httponly for cookies that contain your userid,
> password-hash and sessionhash since vB 3.6.1. Login works normally in IE 7,
> which supports httponly cookies.
>
Assignee | ||
Updated•18 years ago
|
Assignee | ||
Comment 1•18 years ago
|
||
fix call of nsCookie::Create()
isHttpOnly is the 9th parameter and not the 8th
aIsSecure is the 8th parameter and not the 9th
Attachment #259755 -
Flags: review?(sayrer)
Comment 2•18 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a4pre) Gecko/20070327 Minefield/3.0a4pre ID:2007032702 [cairo]
Confirming this bug. I've been seeing it for a couple of weeks or so on http://www.neowin.net/forum/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 3•18 years ago
|
||
Comment on attachment 259755 [details] [diff] [review]
fix it
r=mkaply
Attachment #259755 -
Flags: review?(sayrer) → review+
Updated•18 years ago
|
Attachment #259755 -
Flags: superreview?(darin.moz)
Updated•18 years ago
|
Attachment #259755 -
Flags: superreview?(darin.moz) → superreview+
Updated•18 years ago
|
Assignee: nobody → ronny.perinke
Whiteboard: [checkin needed]
Comment 4•18 years ago
|
||
Checking in mozilla/netwerk/cookie/src/nsCookieService.cpp;
/cvsroot/mozilla/netwerk/cookie/src/nsCookieService.cpp,v <-- nsCookieService.cpp
new revision: 1.53; previous revision: 1.52
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Updated•18 years ago
|
Flags: in-testsuite?
Comment 5•17 years ago
|
||
This bug was only present in 3.0 builds, not in 2.0 releases, right? I'm seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11. They sound similar but I haven't dug into it yet.
Assignee | ||
Comment 6•17 years ago
|
||
(In reply to comment #5)
> This bug was only present in 3.0 builds, not in 2.0 releases, right? I'm
> seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11.
> They sound similar but I haven't dug into it yet.
>
Implementing httponly-cookies in Firefox 2.0 is bug 178993 but it looks ok and I can say that it works (for me).
Your problem seems to have another reason. You can check if and what cookie content is sent with LiveHTTPHeaders (http://livehttpheaders.mozdev.org/).
You need to log in
before you can comment on or make changes to this bug.
Description
•