24390 – It's not possible to log into the spanish train company (renfe.es) to buy tickets online.

Bug 24390 - It's not possible to log into the spanish train company (renfe.es) to buy tickets online.

Summary: It's not possible to log into the spanish train company (renfe.es) to buy tic...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Evangelism (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P2 Major
Assignee:	Nobody

URL:	http://w1.renfe.es
Keywords:

Depends on:
Blocks:

Reported:	2009-03-05 10:39 PST by Josep Quereda
Modified:	2009-09-27 14:29 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josep Quereda 2009-03-05 10:39:36 PST

http://w1.renfe.es  

It's the online ticket service for the spanish train company (renfe.es). It's a very important service for the people living on Spain.

Just go to the left bottom below "Mi cuenta" and try to log in with user: X1111111 and password: test 
It's just a not valid user (valid users have a credit card assigned... hehe), but it's valid to see the bug.
Just click to "Entrar" to validate our entries. Then Webkit shows this message: "Result of expression 'batch.req' [undefined] is not an object.", and you are not logged to the system.

But it's really amazing, because if you try to do the same using a Firefox 3.0.5 - Windows user agent using the Develop menu of Webkit, you can correctly log to the system and to buy tickets.
If you try to log with user X1111111 and password: test, a message on red colour like this "Usuario no valido (U005)" is shown below the "Mi cuenta" text. But if you log with a valid user, the user is correctly validated and loged.

Why is it failing only with the webkit user agent and not using other user agents with the same browser?

Comment 1 Mark Rowe (bdash) 2009-03-05 18:55:50 PST

If it works correctly in Safari when the user agent is spoofed then the likely cause is that the website is detecting which browser is accessing it and acting differently for different browsers.  In the console I see:

Safari GET support disabled. See http://getahead.ltd.uk/dwr/server/servlet and allowGetForSafariButMakeForgeryEasier.

This suggests that they do have different behaviour for Safari for some reason.

Does this website work in any previous version of Safari?

Comment 2 Mark Rowe (bdash) 2009-03-05 19:07:00 PST

This is definitely a bug in the website.  Inside the function dwr.engine._sendData in engine.js, it creates an XMLHttpRequest instance as a property of batch named req:

      batch.req = new XMLHttpRequest();

It then detects Safari and attempts to work around a POST bug in ancient versions of Safari (build number < 400).  For newer versions it calls the following code, apparently to let you know that it's using the "normal" code path:

        dwr.engine._handleWarning(batch, { name:"dwr.engine.oldSafari", message:"Safari GET support disabled. See http://getahead.ltd.uk/dwr/server/servlet and allowGetForSafariButMakeForgeryEasier." });

This _handleWarning function has the side-effect of cleaning up "batch", including deleting batch.req.  This leads to the following code throwing an exception when trying to use batch.req:

      batch.req.open(batch.httpMethod, request.url, batch.async);


I'm marking this as evangelism, as the site is clearly doing the wrong thing here.  Someone will need to get in contact with the developer of the site and communicate this problem to them.

Comment 3 Josep Quereda 2009-03-06 01:04:41 PST

Thank you for your analysis Mark.

I will try to contact the developer of this site to communicate this problem.

Comment 4 Josep Quereda 2009-09-27 14:29:17 PDT

Contacted the developers of this website, and recently they has changed what I explained them.

Now it's ok to log into the system, and to buy train tickets. So, all is working now.

Closing.