Bug 183245
| Summary: | [GTK] Unable to login to some websites because cookies are rejected | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ting-Wei Lan <lantw44> |
| Component: | WebKitGTK | Assignee: | Michael Catanzaro <mcatanzaro> |
| Status: | RESOLVED MOVED | ||
| Severity: | Normal | CC: | bugs-noreply, mcatanzaro, Ms2ger |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugzilla.gnome.org/show_bug.cgi?id=792130 | ||
Ting-Wei Lan
This problem can be found in both WebKitGTK+ 2.19.91 and svn trunk r229066. I am unable to login to FreeBSD Bugzilla and Phabricator with Epiphany because of the problem.
Steps to reproduce on FreeBSD Bugzilla:
1. Open https://bugs.freebsd.org.
2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies.
3. Type email address and password to login. The login is successful, but no cookie is set.
4. Click 'New' on the page, and you will be asked to login again.
This is very inconvenient because I have to type password for every single operation.
Steps to reproduce on Phabricator:
1. Open https://reviews.freebsd.org. It is not specific to FreeBSD Phabricator. You can use other sites to test.
2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies.
3. Click 'Log in' and type something in the login page. You don't need an account to reproduce the issue.
4. Phabricator refuses to check anything you submitted and show the following message.
Unhandled Exception ("AphrontMalformedRequestException")
You are trying to save some data to Phabricator, but the request your browser made included an incorrect token. Reload the page and try again. You may need to clear your cookies.
This was a Web request.
This request had an invalid CSRF token.
This makes it impossible to login. It is especially problematic for internal or private installation of Phabricator because they don't allow anonymous access.
Both issues can be worked around by setting the cookie policy to 'always accept' in Epiphany.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Catanzaro
Is this a regression?
Michael Catanzaro
Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the third party cookie policy more *permissive*. It is certainly possible that something has gone wrong.
Michael Catanzaro
If downgrading libsoup doesn't help, please try the various recent unstable releases of WebKitGTK+ to try to pinpoint the one that introduced this regression; that will make it much easier for us to guess the problematic commit or bisect it.
Ting-Wei Lan
(In reply to Michael Catanzaro from comment #1)
> Is this a regression?
Yes.
(In reply to Michael Catanzaro from comment #2)
> Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the
> third party cookie policy more *permissive*. It is certainly possible that
> something has gone wrong.
Yes, I can successfully login to Phabricator with libsoup 2.61.2.
Michael Catanzaro
Please test again with libsoup 2.61.91; it should be fixed there, because Claudio reverted my commit that I think broke this.
I'll continue to investigate and try to re-land in https://bugzilla.gnome.org/show_bug.cgi?id=792130.
Michael Catanzaro
(In reply to Michael Catanzaro from comment #5)
> Please test again with libsoup 2.61.91; it should be fixed there
Do let us know :)
Ting-Wei Lan
(In reply to Michael Catanzaro from comment #6)
> (In reply to Michael Catanzaro from comment #5)
> > Please test again with libsoup 2.61.91; it should be fixed there
>
> Do let us know :)
Yes, libsoup 2.61.91 works fine with Phabricator.
Michael Catanzaro
Testing this today...
No problems with GNOME Bugzilla or Freedesktop Bugzilla.
I tried signing up for an account with FreeBSD Bugzilla, but the email confirmation has not arrived yet. We'll see how long it takes....
Michael Catanzaro
OK, the mail came through, it just took a while. I can reproduce on FreeBSD Bugzilla.
Michael Catanzaro
Problem is the domain in the cookie starts with a dot, which we pass it into soup_tld_get_base_domain, which gets rejected with an error that hostnames must not begin with a dot. I'll prepare a fixed patch for GNOME Bugzilla.
Thanks for reporting this problem, Ting-Wei!
Michael Catanzaro
(The other Bugzillas were fine because they didn't set the cookie domain property.)