RESOLVED MOVED Bug 183245
[GTK] Unable to login to some websites because cookies are rejected 
https://bugs.webkit.org/show_bug.cgi?id=183245
Summary [GTK] Unable to login to some websites because cookies are rejected
Ting-Wei Lan
Reported 2018-03-01 06:53:22 PST
This problem can be found in both WebKitGTK+ 2.19.91 and svn trunk r229066. I am unable to login to FreeBSD Bugzilla and Phabricator with Epiphany because of the problem. Steps to reproduce on FreeBSD Bugzilla: 1. Open https://bugs.freebsd.org. 2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies. 3. Type email address and password to login. The login is successful, but no cookie is set. 4. Click 'New' on the page, and you will be asked to login again. This is very inconvenient because I have to type password for every single operation. Steps to reproduce on Phabricator: 1. Open https://reviews.freebsd.org. It is not specific to FreeBSD Phabricator. You can use other sites to test. 2. Right-click on the page and choose 'Inspect Element'. Switch to the 'Storage' tab to see cookies. 3. Click 'Log in' and type something in the login page. You don't need an account to reproduce the issue. 4. Phabricator refuses to check anything you submitted and show the following message. Unhandled Exception ("AphrontMalformedRequestException") You are trying to save some data to Phabricator, but the request your browser made included an incorrect token. Reload the page and try again. You may need to clear your cookies. This was a Web request. This request had an invalid CSRF token. This makes it impossible to login. It is especially problematic for internal or private installation of Phabricator because they don't allow anonymous access. Both issues can be worked around by setting the cookie policy to 'always accept' in Epiphany.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-03-01 08:54:06 PST
Is this a regression?
Michael Catanzaro
Comment 2 2018-03-01 08:56:19 PST
Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the third party cookie policy more *permissive*. It is certainly possible that something has gone wrong.
Michael Catanzaro
Comment 3 2018-03-01 08:57:17 PST
If downgrading libsoup doesn't help, please try the various recent unstable releases of WebKitGTK+ to try to pinpoint the one that introduced this regression; that will make it much easier for us to guess the problematic commit or bisect it.
Ting-Wei Lan
Comment 4 2018-03-03 09:39:06 PST
(In reply to Michael Catanzaro from comment #1) > Is this a regression? Yes. (In reply to Michael Catanzaro from comment #2) > Does it work if you downgrade to libsoup 2.61.2? In 2.61.90, I made the > third party cookie policy more *permissive*. It is certainly possible that > something has gone wrong. Yes, I can successfully login to Phabricator with libsoup 2.61.2.
Michael Catanzaro
Comment 5 2018-03-05 10:53:44 PST
Please test again with libsoup 2.61.91; it should be fixed there, because Claudio reverted my commit that I think broke this. I'll continue to investigate and try to re-land in https://bugzilla.gnome.org/show_bug.cgi?id=792130.
Michael Catanzaro
Comment 6 2018-03-05 10:53:58 PST
(In reply to Michael Catanzaro from comment #5) > Please test again with libsoup 2.61.91; it should be fixed there Do let us know :)
Ting-Wei Lan
Comment 7 2018-03-07 07:24:02 PST
(In reply to Michael Catanzaro from comment #6) > (In reply to Michael Catanzaro from comment #5) > > Please test again with libsoup 2.61.91; it should be fixed there > > Do let us know :) Yes, libsoup 2.61.91 works fine with Phabricator.
Michael Catanzaro
Comment 8 2018-03-07 14:50:44 PST
Testing this today... No problems with GNOME Bugzilla or Freedesktop Bugzilla. I tried signing up for an account with FreeBSD Bugzilla, but the email confirmation has not arrived yet. We'll see how long it takes....
Michael Catanzaro
Comment 9 2018-03-07 15:03:39 PST
OK, the mail came through, it just took a while. I can reproduce on FreeBSD Bugzilla.
Michael Catanzaro
Comment 10 2018-03-07 16:25:05 PST
Problem is the domain in the cookie starts with a dot, which we pass it into soup_tld_get_base_domain, which gets rejected with an error that hostnames must not begin with a dot. I'll prepare a fixed patch for GNOME Bugzilla. Thanks for reporting this problem, Ting-Wei!
Michael Catanzaro
Comment 11 2018-03-07 16:25:29 PST
(The other Bugzillas were fine because they didn't set the cookie domain property.)
Note You need to log in before you can comment on or make changes to this bug.