3512 2005-06-13 15:17:38 -0700 REGRESSION (312-412): Can't log in to web mail site in Safari - www.spray.se 2015-01-20 11:02:04 -0800 1 1 1 Unclassified WebKit Forms 412 Mac OS X 10.4 RESOLVED INVALID InRadar, Regression P1 Normal --- 1 c.petersen87 adele alice.barraclough checkert ddkilzer eli eoconnor ggaren giusva mbalistreri mellon85 rubensmits9775 xja85mac oldest_to_newest 11755 0 c.petersen87 2005-06-13 15:17:38 -0700 * SUMMARY Cant log in to mail page in Tiger www.spray.se * STEPS TO REPRODUCE 1. Open Safari 2. Go to http://mail.spray.se/ 3. Enter username and password and press log in * RESULTS Cant log in, after pressing the log in button the page only reloads. This page works fine in Panther Safari. This is one of Sweden's biggest web mail sites. 11756 1 c.petersen87 2005-06-13 15:25:15 -0700 5/11/05 12:43 PM Chris Petersen: I have attached a reduced test case of the problem. The test case contain the FORM element: <form action="http://mail.spray.se/lsu/signin/action.jsp" method="post" name="loginbox"> <input size="" name="login" value="locqa" type="text"> <input size="" name="password" value="l0ct3st" type="password"> <input value="Logga in" type="submit"> </form> The action and method value specified in the Form. 5/11/05 12:51 PM Chris Petersen: Using the attached test case with Safari 2.0 (v412) , clicking the "Logga in" submit button appears to be sending a request. However instead of logging into the account, the main login screen is displayed again. Using this test case, I can correctly log into the account under 10.4.1 (8B15) under 10.4.1 or Safari 1.3 (V312) under 10.3.9. 11757 2 c.petersen87 2005-06-13 15:27:50 -0700 Correction: Using this test case, I CAN'T log into the account under 10.4.1 (8B15) under 10.4.1 or Safari 1.3 (V312) under 10.3.9. However, the test case does work with Firefox 1.0.4. 11758 3 2306 c.petersen87 2005-06-13 15:51:11 -0700 Created attachment 2306 Reduced test case of site 11759 4 c.petersen87 2005-06-13 15:52:11 -0700 Apple Bug: <rdar://problem/4110617> 29339 5 joost 2006-01-22 04:32:50 -0800 Adding Regression keyword. 29439 6 ddkilzer 2006-01-22 10:23:37 -0800 This issue has nothing to do with WebKit. It looks like HTTP protocol layer (in the Foundation classes?) is failing to send cookies set for "domain=.spray.se; path=/" to host "f011.mail.spray.se" during redirects that occur during the process of logging in. This is a pretty serious omission in the behavior of cookies. I'm surprised there haven't been more problems reported that are related to this! (Actually, I think Geoffrey Garen *may* have hit a similar issue that he was debugging, except it was with a credit card site and the site was using SSL. I'm copying him on this bug.) I used ethereal to view what Safari+WebKit-r12282 (Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8) sent to the web site versus what Firefox 1.5 (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5) sent. Here is the first request from Safari (POSTing the login form; note some previously-set cookies are sent to mail.spray.se): POST /lsu/signin/action.jsp HTTP/1.1 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate Cookie: ADPROFILE=; LBC=4096df6f36c5c45311e6bd048b392ea; FS004=f9fdQd5plVP9; lsua=bG9jcWE6bG9jcWE6bG9jcWE6c2U%3D Referer: http://bugzilla.opendarwin.org/attachment.cgi?id=2306 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8 Content-Type: application/x-www-form-urlencoded Content-Length: 28 Connection: keep-alive Host: mail.spray.se login=locqa&password=l0ct3st Here is the response from the server: HTTP/1.1 302 Found Date: Sun, 22 Jan 2006 18:01:03 GMT Server: Apache/1.3.31 (Unix) mod_gzip/1.3.26.1a Resin/2.1.10 Vary: Accept-Encoding Cache-Control: private Location: http://f011.mail.spray.se Content-Length: 63 Set-Cookie: lsua=bG9jcWE6bG9jcWE6bG9jcWE6c2U%3D; domain=.spray.se; path=/; expires=Fri, 21-Apr-2006 23:59:59 GMT Set-Cookie: lsub=cc950f09df3494b3a808980a98e3dd097c4ed5f41761144e354bc0f1acd5025c776899bbad5febca6a9b82af86d35f3f06efd611ae4ae280aefc7865b4c399a6474b27bf86c08939106f5266837948131874; domain=.spray.se; path=/lsu/ Set-Cookie: lsud=e9f4e810828243aed2cf0cd63c30e6b2%3A1137952863; domain=.spray.se; path=/ Set-Cookie: LBC=280632a8f2a951d44e94d7a98b33ca1; domain=.spray.se; path=/ Set-Cookie: SERVERS=f011.mail.spray.se#; domain=.spray.se; path=/ Set-Cookie: IDENTIFIANT=WXZYVXNNPYUZNLKPLQXNXWKYMSSWXXWQVLOMMOLSKWQVZYYNTUYNYOPQZLSKUUYT; domain=.spray.se; path=/ Set-Cookie: AUTH=e9f4e810828243aed2cf0cd63c30e6b2; domain=.spray.se; path=/ Set-Cookie: ADPROFILE=01970000000000000000000000000FR00000; domain=.spray.se; path=/ Set-Cookie: FS003=fSwJFiOhCXX8; path=/ Keep-Alive: timeout=1, max=25 Connection: Keep-Alive Content-Type: text/html The URL has moved <a href="http://f011.mail.spray.se">here</a> Then Safari sends another request due to the 302 redirect, but only sends the one cookie where the "domain=.spray.se" was not set which is clearly incorrect: GET / HTTP/1.1 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate Cookie: FS011=dzcxggr5gwl9 Referer: http://bugzilla.opendarwin.org/attachment.cgi?id=2306 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8 Connection: keep-alive Host: f011.mail.spray.se In Firefox 1.5, all of the previously set cookies are sent: GET / HTTP/1.1 Host: f011.mail.spray.se User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://bugzilla.opendarwin.org/attachment.cgi?id=2306 Cookie: LBC=4af1b401b2e3e7aac052e6085bd42ac; LBCS=aa934ead29a7dbeb513ebc63ea10f53a; SERVERS=f011.mail.spray.se#; IDENTIFIANT=WXZYVXNNPYUZNLKPLQXNXWKYMSSWXXWQVLOMMOLSKWQVZYYNTUYNYOPQZLSKUUYT; AUTH=53bf17d9cde9a8ed55a61a5b7cd91692; ADPROFILE=01970000000000000000000000000FR00000; lsud=53bf17d9cde9a8ed55a61a5b7cd91692%3A1137952954; lsua=bG9jcWE6bG9jcWE6bG9jcWE6c2U%3D; FS011=jZdBzTlHn9c_; NGUserID=d44ec856-10706-1137952064-13; NOLII=1; lea_lii=a208947a 29441 7 ddkilzer 2006-01-22 10:29:02 -0800 Obviously, after the cookies aren't passed back to the web site, the web server doesn't think the user logged in and thus they are redirected back to the "original" web page, which is the behavior that's currently being seen. Once you confirm this, please close this bug (I'd use INVALID or WONTFIX since it doesn't apply to WebKit) so it won't count against the list of WebKit regressions. 29444 8 ddkilzer 2006-01-22 10:42:47 -0800 I have been informed that WebKit does handle some cookie operations, so I'll take a look at that code next! 29458 9 ddkilzer 2006-01-22 12:23:49 -0800 After further review, the conclusion in Comment #6 stands. The real bug is probably in the Foundation classes. I'm going to attempt a horrible work-around in WebCookieAdapter.setCookies(), though, as a proof-of-concept. 29488 10 darin 2006-01-22 15:29:20 -0800 I'm passing the bug on to the folks who do the NSURL Cookies internally and closing this one as INVALID since the bug is not in WebKit. 29829 11 ddkilzer 2006-01-25 06:26:57 -0800 *** Bug 6728 has been marked as a duplicate of this bug. *** 29830 12 ddkilzer 2006-01-25 06:29:54 -0800 (In reply to comment #6) > In Firefox 1.5, all of the previously set cookies are sent: Technically, all but one of the cookies (which were set in the 302 response) are sent by Firefox since one cookie had a path of "/lsu/". 30849 13 eric 2006-01-31 21:20:33 -0800 Removing Regression keyword from bugs already fixed. 31197 14 ddkilzer 2006-02-03 13:16:49 -0800 Added back removed keywords. 36065 15 ddkilzer 2006-03-12 19:58:09 -0800 *** Bug 7738 has been marked as a duplicate of this bug. *** 48051 16 ddkilzer 2006-07-02 15:16:34 -0700 *** Bug 7734 has been marked as a duplicate of this bug. *** 21753 17 ddkilzer 2007-02-25 09:53:46 -0800 *** Bug 12872 has been marked as a duplicate of this bug. *** 21307 18 ddkilzer 2007-02-26 12:53:43 -0800 *** Bug 12872 has been marked as a duplicate of this bug. *** 2333 19 ddkilzer 2007-08-14 05:26:54 -0700 *** Bug 14962 has been marked as a duplicate of this bug. *** 105018 20 xja85mac 2009-01-09 08:49:57 -0800 *** Bug 23186 has been marked as a duplicate of this bug. *** 2306 2005-06-13 15:51:11 -0700 2005-06-13 15:51:11 -0700 Reduced test case of site sample_test.html text/html 438 c.petersen87 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Ly9FTiIKICAgICAgICAiaHR0cDovL3d3dy53My5vcmcvVFIvaHRtbDQvbG9vc2UuZHRkIj4KPGh0 bWw+CjxoZWFkPgoJPHRpdGxlPlVudGl0bGVkPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KPGZvcm0g IGFjdGlvbj0iaHR0cDovL21haWwuc3ByYXkuc2UvbHN1L3NpZ25pbi9hY3Rpb24uanNwIiBtZXRo b2Q9InBvc3QiIG5hbWU9ImxvZ2luYm94Ij4KPGlucHV0IHNpemU9IiIgbmFtZT0ibG9naW4iIHZh bHVlPSJsb2NxYSIgdHlwZT0idGV4dCI+CjxpbnB1dCBzaXplPSIiIG5hbWU9InBhc3N3b3JkIiB2 YWx1ZT0ibDBjdDNzdCIgdHlwZT0icGFzc3dvcmQiPgo8aW5wdXQgdmFsdWU9IkxvZ2dhIGluIiB0 eXBlPSJzdWJtaXQiPgo8L2Zvcm0+Cgo8L2JvZHk+CjwvaHRtbD4K