Bug 16008

Summary: Almost all cookies are deleted
Product: WebKit Reporter: Jacob Weber <jacob>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: mrowe
Priority: P2    
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.5   

Jacob Weber
Reported 2007-11-15 18:31:40 PST
After using Safari for a while, I went to a web site that I had just visited, and expected to still be logged in. When I saw that I wasn't logged in to that site, or any others, I checked Safari's Preferences and realized that almost all the cookies had been removed! The only ones that remained were from: bugreport.apple.com, wdg2.apple.com, google.com, ads.macupdate.com, www.macupdate.com, .parallels.com, stats.parallels.com, and a couple others. This has happened twice in the last week; the first time was on OS 10.5, and it happened just now on 10.5.1. I'm currently using Safari 5523.10. I believe that both times, I was submitting a bug report on bugreport.apple.com when this happened. Does that site have some kind of access to cookies that other sites don't? I was able to restore the cookies with Time Machine, but this seems like a serious issue.
Attachments
Add attachment proposed patch, testcase, etc.
Jacob Weber
Comment 1 2007-11-15 18:54:41 PST
I've now been able to reproduce this consistently, and it seems to always happen on https://bugreport.apple.com. Here's what I'm doing: 1. Go to https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/wa/signIn 2. Log in with my Apple ID/password. 3. Click a few links in this site, and check the cookies in Preferences after clicking each one. I can't figure out the exact pattern that causes them to be deleted, but one example was clicking New Problem, then My Originated Problems, then clicking one of the problems in the My Originated Problems page, then clicking New Problem again. I looked at the Web Inspector for the pages that seem to have deleted the cookies. Below are two examples. (I'm assuming it's the main HTML page and not the images, which didn't have any Set-Cookie headers). Example 1: https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/32/wo/6wtNF7FTiFmkuVbm4Fp9uM/6.19.0 Request Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Referer https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/32/wo/6wtNF7FTiFmkuVbm4Fp9uM/5.11.0 User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us) AppleWebKit/523.10.3 (KHTML, like Gecko) Version/3.0.4 Safari/523.10 Response Cache-Control max-age=60, private, no-cache, no-store, must-revalidate, max-age=0 Connection close Content-Length 4015 Content-Type text/html; charset=UTF-8; Date Fri, 16 Nov 2007 02:44:38 GMT Expires Fri, 16 Nov 2007 02:45:38 GMT, Thu, 15-Nov-2007 08:37:02 GMT Pragma no-cache Server Apache/1.3.33 (Darwin) mod_ssl/2.8.24 OpenSSL/0.9.7l Set-Cookie wosid=6wtNF7FTiFmkuVbm4Fp9uM; version="1"; path=/cgi-bin/WebObjects/RadarWeb.woa, woinst=32; version="1"; path=/cgi-bin/WebObjects/RadarWeb.woa, wossid=9241.387431881709; version="1"; path=/ Example 2: https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/30/wo/DAvebf11pWNdk5a2m3w2cg/4.65.1.3 Request Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Referer https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/30/wo/DAvebf11pWNdk5a2m3w2cg/3.21.0 User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us) AppleWebKit/523.10.3 (KHTML, like Gecko) Version/3.0.4 Safari/523.10 Response Cache-Control max-age=60 Connection close Content-Length 14937 Content-Type text/html; charset=UTF-8; Date Fri, 16 Nov 2007 02:47:34 GMT Expires Fri, 16 Nov 2007 02:48:34 GMT, Thu, 15-Nov-2007 08:36:31 GMT Server Apache/1.3.33 (Darwin) mod_ssl/2.8.24 OpenSSL/0.9.7l Set-Cookie wosid=DAvebf11pWNdk5a2m3w2cg; version="1"; path=/cgi-bin/WebObjects/RadarWeb.woa, woinst=30; version="1"; path=/cgi-bin/WebObjects/RadarWeb.woa, wossid=4123.667555573998; version="1"; path=/
Mark Rowe (bdash)
Comment 2 2007-11-15 20:25:39 PST
This is <rdar://problem/5592734>, which is not a WebKit issue.
Note You need to log in before you can comment on or make changes to this bug.