Closed Bug 375488 Opened 18 years ago Closed 18 years ago

HttpOnly Cookies broken (exchanged httponly and secure)

Categories

(Core :: Networking: Cookies, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: ronny.perinke, Assigned: ronny.perinke)

References

()

Details

(Keywords: regression)

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9a4pre) Gecko/20070327 Firefox/3.0a4pre (Sephiroth/SSE2) Build Identifier: If a httponly-cookie or even a normal cookie is read from cookies.txt, it's isSecure and httponly-state is exchanged. httponly becomes to isSecure and vice versa. Thus, httponly-cookies are not send through a non-secure http-connection and will be stored incorrectly again in cookies.txt Reproducible: Always Steps to Reproduce: 1. login to a forum using vBulletin >= 3.6.1 and check "remember login" 2. quit browser and do not delete the login cookies (userid and password) 3. start browser and visit the forum Actual Results: not logged in anymore Expected Results: automatically logged in again bug #178993 comment #119 > something went wrong, the cookies are not send back or so. > > bug #315699 comment #32 > > I can consistently encounter this bug using build Mozilla/5.0 (Windows; U; > > Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070321 Minefield/3.0a3pre, on the > > site http://forums.beyondunreal.com, which uses vBulletin Version 3.6.5. > > > vBulletin uses httponly for cookies that contain your userid, > password-hash and sessionhash since vB 3.6.1. Login works normally in IE 7, > which supports httponly cookies. >
Keywords: regression
OS: Windows XP → All
Hardware: PC → All
Attached patch fix it (deleted) — Splinter Review
fix call of nsCookie::Create() isHttpOnly is the 9th parameter and not the 8th aIsSecure is the 8th parameter and not the 9th
Attachment #259755 - Flags: review?(sayrer)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a4pre) Gecko/20070327 Minefield/3.0a4pre ID:2007032702 [cairo] Confirming this bug. I've been seeing it for a couple of weeks or so on http://www.neowin.net/forum/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 178993
Comment on attachment 259755 [details] [diff] [review] fix it r=mkaply
Attachment #259755 - Flags: review?(sayrer) → review+
Attachment #259755 - Flags: superreview?(darin.moz)
Attachment #259755 - Flags: superreview?(darin.moz) → superreview+
Assignee: nobody → ronny.perinke
Whiteboard: [checkin needed]
Checking in mozilla/netwerk/cookie/src/nsCookieService.cpp; /cvsroot/mozilla/netwerk/cookie/src/nsCookieService.cpp,v <-- nsCookieService.cpp new revision: 1.53; previous revision: 1.52 done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Flags: in-testsuite?
This bug was only present in 3.0 builds, not in 2.0 releases, right? I'm seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11. They sound similar but I haven't dug into it yet.
(In reply to comment #5) > This bug was only present in 3.0 builds, not in 2.0 releases, right? I'm > seeing can't-always-remember-me symptoms in 2.0.x up to and including 2.0.0.11. > They sound similar but I haven't dug into it yet. > Implementing httponly-cookies in Firefox 2.0 is bug 178993 but it looks ok and I can say that it works (for me). Your problem seems to have another reason. You can check if and what cookie content is sent with LiveHTTPHeaders (http://livehttpheaders.mozdev.org/).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: