You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2007/12/08 20:51:43 UTC
[jira] Created: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Cookie handling causes problems for IE and Opera
-------------------------------------------------
Key: INFRA-1438
URL: https://issues.apache.org/jira/browse/INFRA-1438
Project: Infrastructure
Issue Type: Improvement
Security Level: public (Regular issues)
Components: MoinMoin
Reporter: Sebb
Priority: Minor
The ASF wikis often have a common prefix, eg
jakarta
jakarta-commons
jakarta-jmeter
I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
Possible solutions:
- ignore cookie when password is provided
- change cookie to include trailing /
I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561913#action_12561913 ]
Sebb commented on INFRA-1438:
-----------------------------
commit -m "INFRA-1438 - use name from login scren rather than always using whatever cookie matches the site"
Committed revision 614765.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549792 ]
Sebb commented on INFRA-1438:
-----------------------------
True, but the issue here is the other way round:
The browser has a cookie for /jakarta, but none for /jakarta-commons.
When logging in to /jakarta-commons, it sends the /jakarta cookie.
For some reason Firefox does not do this, but both IE and Opera seem to.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Possible solutions:
> - ignore cookie when password is provided
> - change cookie to include trailing /
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549791 ]
Joe Schaefer commented on INFRA-1438:
-------------------------------------
Any browser that has a cookie with /jakarta-commons as path must
send that cookie *before* it sends the cookie for /jakarta when
visiting a /jakarta-commons based url. If they're not doing that,
they're not following the spec.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Possible solutions:
> - ignore cookie when password is provided
> - change cookie to include trailing /
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549794 ]
Joe Schaefer commented on INFRA-1438:
-------------------------------------
If the path doesn' t have a trailing slash, then
according to the spec, the browser is supposed
to send the /jakarta cookie when visiting
/jakarta-commons.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Possible solutions:
> - ignore cookie when password is provided
> - change cookie to include trailing /
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12559582#action_12559582 ]
Sebb commented on INFRA-1438:
-----------------------------
@Paul: yes, it is a bug in MoinMoin. But given that we are using quite an old version, I doubt that raising a bug upstream will help...
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Paul Querna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12558839#action_12558839 ]
Paul Querna commented on INFRA-1438:
------------------------------------
This really sounds like a bug in MoinMoin that should be taken upstream to them?
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebb updated INFRA-1438:
------------------------
Description:
The ASF wikis often have a common prefix, eg
jakarta
jakarta-commons
jakarta-jmeter
I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
Possible solutions:
Edit: - ignore cookie when name and password are provided [this should be safe]
- change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
I'm not particularly familiar with Python, but I may be able to provide patches ...
was:
The ASF wikis often have a common prefix, eg
jakarta
jakarta-commons
jakarta-jmeter
I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
Possible solutions:
- ignore cookie when password is provided
- change cookie to include trailing /
I'm not particularly familiar with Python, but I may be able to provide patches ...
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561808#action_12561808 ]
Joe Schaefer commented on INFRA-1438:
-------------------------------------
+1 to apply the change discussed.
I'll sync up the live site once I see
the commit go by.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549846 ]
Sebb commented on INFRA-1438:
-----------------------------
The offending code seems to be in user.py @ line 278:
if not self.id and not self.auth_username:
try:
cookie = Cookie.SimpleCookie(request.saved_cookie)
except Cookie.CookieError:
# ignore invalid cookies, else user can't re login
cookie = None
if cookie and cookie.has_key('MOIN_ID'):
self.id = cookie['MOIN_ID'].value
i.e. the id in the cookie is used, instead of looking up the username.
At line 297, we have:
elif self.name:
self.load()
which is where the name from the form is used to lookup the id.
changing line 278 to:
if not self.id and not self.auth_username and not self.name:
might fix the problem.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (INFRA-1438) Cookie handling causes problems for IE
and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebb closed INFRA-1438.
-----------------------
Resolution: Fixed
Sorry, I forgot to close this earlier.
I've tested the updated Wiki cookie handling and all seems fine.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564495#action_12564495 ]
Joe Schaefer commented on INFRA-1438:
-------------------------------------
Has the situation improved with r614765 active?
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Edit: the problem is that the id from the jakarta cookie is assumed to be the id for tha jakarta-xxx wiki - the username is ignored (or at least not used to determine the id) when checking the login password. [Should have made this clear originally, sorry]
> Possible solutions:
> Edit: - ignore cookie when name and password are provided [this should be safe]
> - change cookie to include trailing / [Edit: would still need to deal with slashless cookies, so perhaps not good]
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1438) Cookie handling causes problems for
IE and Opera
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549823 ]
Sebb commented on INFRA-1438:
-----------------------------
Which is what the 2 browsers are doing.
However, this causes a problem, because MoinMoin seems to use the cookie in preference to the login information.
If you specify a username and password on the UserPreferences screen, it still seems to use the cookie to determine the id.
[I think that is the reason - whatever, the jakarta cookie causes jakarta-commons logins to fail]
Unless the id happens to be the same in both Wikis (very unlikely), this means that the login will fail.
The only way to login to jakarta-commons if you are already logged in to jakarta is to delete the jakarta cookie, e.g. by logging out of it or using a different browser or host that does not have the cookie.
It took me ages to work out why my password for jakarta-httpclient was not working; eventually I used wireshark and compared IE with FF and found the cookie.
I then did the tests with IE, FF and Opera.
> Cookie handling causes problems for IE and Opera
> -------------------------------------------------
>
> Key: INFRA-1438
> URL: https://issues.apache.org/jira/browse/INFRA-1438
> Project: Infrastructure
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: MoinMoin
> Reporter: Sebb
> Priority: Minor
>
> The ASF wikis often have a common prefix, eg
> jakarta
> jakarta-commons
> jakarta-jmeter
> I've found that if one logs into jakarta with IE or Opera, it's then impossible to login to jakarta-xxx - this seems to be because those browsers match the prefix when deciding to send the cookie.
> Possible solutions:
> - ignore cookie when password is provided
> - change cookie to include trailing /
> I'm not particularly familiar with Python, but I may be able to provide patches ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.