Bug 183245

Summary: [GTK] Unable to login to some websites because cookies are rejected
Product: WebKit Reporter: Ting-Wei Lan <lantw44>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED MOVED    
Severity: Normal CC: bugs-noreply, mcatanzaro, Ms2ger
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=792130

Description Ting-Wei Lan 2018-03-01 06:53:22 PST
This problem can be found in both WebKitGTK+ 2.19.91 and svn trunk r229066. I am unable to login to FreeBSD Bugzilla and Phabricator with Epiphany because of the problem.

Steps to reproduce on FreeBSD Bugzilla:

1. Open https://bugs.freebsd.org.
2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies.
3. Type email address and password to login. The login is successful, but no cookie is set.
4. Click 'New' on the page, and you will be asked to login again.

This is very inconvenient because I have to type password for every single operation.

Steps to reproduce on Phabricator:

1. Open https://reviews.freebsd.org. It is not specific to FreeBSD Phabricator. You can use other sites to test.
2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies.
3. Click 'Log in' and type something in the login page. You don't need an account to reproduce the issue.
4. Phabricator refuses to check anything you submitted and show the following message.

Unhandled Exception ("AphrontMalformedRequestException")

You are trying to save some data to Phabricator, but the request your browser made included an incorrect token. Reload the page and try again. You may need to clear your cookies.
This was a Web request.
This request had an invalid CSRF token.

This makes it impossible to login. It is especially problematic for internal or private installation of Phabricator because they don't allow anonymous access.

Both issues can be worked around by setting the cookie policy to 'always accept' in Epiphany.
Comment 1 Michael Catanzaro 2018-03-01 08:54:06 PST
Is this a regression?
Comment 2 Michael Catanzaro 2018-03-01 08:56:19 PST
Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the third party cookie policy more *permissive*. It is certainly possible that something has gone wrong.
Comment 3 Michael Catanzaro 2018-03-01 08:57:17 PST
If downgrading libsoup doesn't help, please try the various recent unstable releases of WebKitGTK+ to try to pinpoint the one that introduced this regression; that will make it much easier for us to guess the problematic commit or bisect it.
Comment 4 Ting-Wei Lan 2018-03-03 09:39:06 PST
(In reply to Michael Catanzaro from comment #1)
> Is this a regression?

Yes.

(In reply to Michael Catanzaro from comment #2)
> Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the
> third party cookie policy more *permissive*. It is certainly possible that
> something has gone wrong.

Yes, I can successfully login to Phabricator with libsoup 2.61.2.
Comment 5 Michael Catanzaro 2018-03-05 10:53:44 PST
Please test again with libsoup 2.61.91; it should be fixed there, because Claudio reverted my commit that I think broke this.

I'll continue to investigate and try to re-land in https://bugzilla.gnome.org/show_bug.cgi?id=792130.
Comment 6 Michael Catanzaro 2018-03-05 10:53:58 PST
(In reply to Michael Catanzaro from comment #5)
> Please test again with libsoup 2.61.91; it should be fixed there

Do let us know :)
Comment 7 Ting-Wei Lan 2018-03-07 07:24:02 PST
(In reply to Michael Catanzaro from comment #6)
> (In reply to Michael Catanzaro from comment #5)
> > Please test again with libsoup 2.61.91; it should be fixed there
> 
> Do let us know :)

Yes, libsoup 2.61.91 works fine with Phabricator.
Comment 8 Michael Catanzaro 2018-03-07 14:50:44 PST
Testing this today...

No problems with GNOME Bugzilla or Freedesktop Bugzilla.

I tried signing up for an account with FreeBSD Bugzilla, but the email confirmation has not arrived yet. We'll see how long it takes....
Comment 9 Michael Catanzaro 2018-03-07 15:03:39 PST
OK, the mail came through, it just took a while. I can reproduce on FreeBSD Bugzilla.
Comment 10 Michael Catanzaro 2018-03-07 16:25:05 PST
Problem is the domain in the cookie starts with a dot, which we pass it into soup_tld_get_base_domain, which gets rejected with an error that hostnames must not begin with a dot. I'll prepare a fixed patch for GNOME Bugzilla.

Thanks for reporting this problem, Ting-Wei!
Comment 11 Michael Catanzaro 2018-03-07 16:25:29 PST
(The other Bugzillas were fine because they didn't set the cookie domain property.)