Bug 6728
| Summary: | Unable to login into mail.lycos.nl | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ruben Smits <rubensmits9775> |
| Component: | WebKit Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Major | CC: | ddkilzer, joost |
| Priority: | P1 | Keywords: | InRadar |
| Version: | 420+ | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
| URL: | http://mail.lycos.nl | ||
Ruben Smits
I have an account on this site. Using other browsers I am able to log in here, but using webkit I can't login with the same name/pw.
(You can sign up for a free account on the site for testing.)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Joost de Valk (AlthA)
Created an account webkit-test, pass webkit. Confirming the problem, upping to P1 Major, since this is a major site. I'd like to know if other Lycos mail sites are affected as well. Testing with Safari after this to see if this is actually a regression.
Joost de Valk (AlthA)
Tested, this is NOT a regression. Probleem needs reduction, adding keyword.
David Kilzer (:ddkilzer)
This may be a duplicate of Bug 3512.
Ruben Smits
I see a difference with Bug 3512. As far as I know logging in at http://mail.lycos.nl has never worked in Safari. (3512 says that issue was a new one and did work in earlier versions.)
Joost de Valk (AlthA)
Whatever the cause, this still needs reduction :)
David Kilzer (:ddkilzer)
This is a duplicate of Bug 3512 (explanation below).
However, I would suggest filing a Radar bug anyway and referencing <rdar://problem/4110617>, this Bugzilla bug, and Bug 3512 in the report since it's a different web site than the original report. (I suspect Apple will fix this in fairly short order since it could affect MANY different web sites, but that's pure speculation on my part.)
If you're an ADC member, use: https://bugreport.apple.com/
If you're not an ADC member, use: http://developer.apple.com/bugreporter/bugrptform.html
Below is the analysis. First, Safari submits an HTTP POST request to secure.mail.lycos.nl with the username and password to log in:
POST /lsu/signin/action.jsp HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: SECFREESESSIONID=kIZ7FQA7YFzb
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Connection: keep-alive
Host: secure.mail.lycos.nl
login=webkit-test&hiddenlogin=Gebruikersnaam&hiddenpassword=******&password=webkit
Next the secure.mail.lycos.nl server returns a 302 redirect response along with 8 cookies to be set on the ".lycos.nl" domain:
HTTP/1.1 302 Found
Date: Wed, 25 Jan 2006 13:00:48 GMT
Server: Apache/1.3.33 (Unix) Resin/2.1.12 mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c
Cache-Control: max-age=86400
Expires: Thu, 26 Jan 2006 13:00:48 GMT
Cache-Control: private
Location: http://f012.mail.lycos.nl
Content-Length: 63
Set-Cookie: lsua=d2Via2l0LXRlc3Q6V2Via2l0OlRlc3RlcjpubA%3D%3D; domain=.lycos.nl; path=/; expires=Mon, 24-Apr-2006 23:59:59 GMT
Set-Cookie: lsub=5dcd6f09d1d6b1b05ab7cadad396272c1ef188bbdbcdaadcaed0389e01d34a9e0660a989db932ec7bb4575c1167b83e4b011ffcc86c2ea24dd22215333d32bc98134e91998074727e1db497bba646574e5a6; domain=.lycos.nl; path=/lsu/
Set-Cookie: lsud=26575a26f51f07ddfb2e0c86e4457b20%3A1138194048; domain=.lycos.nl; path=/
Set-Cookie: LBC=92c164b4b2f704d4d9f0d03d14d79ad; domain=.lycos.nl; path=/
Set-Cookie: SERVERS=f012.mail.lycos.nl#; domain=.lycos.nl; path=/
Set-Cookie: IDENTIFIANT=YRWYYSLTMQWLLZLZWSUTLKVNZXMWTMPZKLOVRLSTXXUVTPQOXUWRQTRYNNLVNLXZMXNXXXYNWNYVOVKY; domain=.lycos.nl; path=/
Set-Cookie: AUTH=26575a26f51f07ddfb2e0c86e4457b20; domain=.lycos.nl; path=/
Set-Cookie: ADPROFILE=01970000000000000000000000000FR00000; domain=.lycos.nl; path=/
Connection: close
Content-Type: text/html
The URL has moved <a href="http://f012.mail.lycos.nl">here</a>
Safari then follows the 302 redirect, but fails to send ANY cookies to f012.mail.lycos.nl when I should have sent 7 of them (one had a path of "/lsu/" and should not have been sent):
GET / HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8
Connection: keep-alive
Host: f012.mail.lycos.nl
Firefox 1.5, on the other hand, sends the appropriate 7 cookies with its request at this stage:
GET / HTTP/1.1
Host: f012.mail.lycos.nl
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
Cookie: ADPROFILE=01970000000000000000000000000FR00000; lsua=d2Via2l0LXRlc3Q6V2Via2l0OlRlc3RlcjpubA%3D%3D; lsud=c4e4775f9f942ea81d748957c62cc623%3A1138194141; LBC=52115396c45258005d8ee3902b17277; SERVERS=f012.mail.lycos.nl#; IDENTIFIANT=YRWYYSLTMQWLLZLZWSUTLKVNZXMWTMPZKLOVRLSTXXUVTPQOXUWRQTRYNNLVNLXZMXNXXXYNWNYVOVKY; AUTH=c4e4775f9f942ea81d748957c62cc623
Thus, this bug is a duplicate of Bug 3512. (In fact, if you look at the two web sites, they must be using the same webmail software since they're laid out similarly and use very similar URLs.)
*** This bug has been marked as a duplicate of 3512 ***
Ruben Smits
Apple: <rdar://problem/4431359>
David Kilzer (:ddkilzer)
Added back keywords that were removed.
David Kilzer (:ddkilzer)
*sigh* This never had the Regression keyword.