Bug 6728 - Unable to login into mail.lycos.nl
Summary: Unable to login into mail.lycos.nl
Status: RESOLVED DUPLICATE of bug 3512
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL: http://mail.lycos.nl
Keywords: InRadar
Depends on:
Reported: 2006-01-23 04:44 PST by Ruben Smits
Modified: 2006-02-03 13:18 PST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ruben Smits 2006-01-23 04:44:05 PST
I have an account on this site. Using other browsers I am able to log in here, but using webkit I can't login with the same name/pw.
(You can sign up for a free account on the site for testing.)
Comment 1 Joost de Valk (AlthA) 2006-01-23 05:09:57 PST
Created an account webkit-test, pass webkit. Confirming the problem, upping to P1 Major, since this is a major site. I'd like to know if other Lycos mail sites are affected as well. Testing with Safari after this to see if this is actually a regression.
Comment 2 Joost de Valk (AlthA) 2006-01-23 05:14:45 PST
Tested, this is NOT a regression. Probleem needs reduction, adding keyword.
Comment 3 David Kilzer (:ddkilzer) 2006-01-24 10:55:11 PST
This may be a duplicate of Bug 3512.
Comment 4 Ruben Smits 2006-01-24 12:06:12 PST
I see a difference with Bug 3512. As far as I know logging in at http://mail.lycos.nl has never worked in Safari. (3512 says that issue was a new one and did work in earlier versions.)
Comment 5 Joost de Valk (AlthA) 2006-01-25 00:38:55 PST
Whatever the cause, this still needs reduction :)
Comment 6 David Kilzer (:ddkilzer) 2006-01-25 06:26:57 PST
This is a duplicate of Bug 3512 (explanation below).

However, I would suggest filing a Radar bug anyway and referencing <rdar://problem/4110617>, this Bugzilla bug, and Bug 3512 in the report since it's a different web site than the original report.  (I suspect Apple will fix this in fairly short order since it could affect MANY different web sites, but that's pure speculation on my part.)

If you're an ADC member, use: https://bugreport.apple.com/
If you're not an ADC member, use: http://developer.apple.com/bugreporter/bugrptform.html

Below is the analysis.  First, Safari submits an HTTP POST request to secure.mail.lycos.nl with the username and password to log in:

POST /lsu/signin/action.jsp HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Connection: keep-alive
Host: secure.mail.lycos.nl


Next the secure.mail.lycos.nl server returns a 302 redirect response along with 8 cookies to be set on the ".lycos.nl" domain:

HTTP/1.1 302 Found
Date: Wed, 25 Jan 2006 13:00:48 GMT
Server: Apache/1.3.33 (Unix) Resin/2.1.12 mod_gzip/ mod_ssl/2.8.22 OpenSSL/0.9.6c
Cache-Control: max-age=86400
Expires: Thu, 26 Jan 2006 13:00:48 GMT
Cache-Control: private
Location: http://f012.mail.lycos.nl
Content-Length: 63
Set-Cookie: lsua=d2Via2l0LXRlc3Q6V2Via2l0OlRlc3RlcjpubA%3D%3D; domain=.lycos.nl; path=/; expires=Mon, 24-Apr-2006 23:59:59 GMT
Set-Cookie: lsub=5dcd6f09d1d6b1b05ab7cadad396272c1ef188bbdbcdaadcaed0389e01d34a9e0660a989db932ec7bb4575c1167b83e4b011ffcc86c2ea24dd22215333d32bc98134e91998074727e1db497bba646574e5a6; domain=.lycos.nl; path=/lsu/
Set-Cookie: lsud=26575a26f51f07ddfb2e0c86e4457b20%3A1138194048; domain=.lycos.nl; path=/
Set-Cookie: LBC=92c164b4b2f704d4d9f0d03d14d79ad; domain=.lycos.nl; path=/
Set-Cookie: SERVERS=f012.mail.lycos.nl#; domain=.lycos.nl; path=/
Set-Cookie: AUTH=26575a26f51f07ddfb2e0c86e4457b20; domain=.lycos.nl; path=/
Set-Cookie: ADPROFILE=01970000000000000000000000000FR00000; domain=.lycos.nl; path=/
Connection: close
Content-Type: text/html

The URL has moved <a href="http://f012.mail.lycos.nl">here</a>

Safari then follows the 302 redirect, but fails to send ANY cookies to f012.mail.lycos.nl when I should have sent 7 of them (one had a path of "/lsu/" and should not have been sent):

GET / HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Safari/417.8
Connection: keep-alive
Host: f012.mail.lycos.nl

Firefox 1.5, on the other hand, sends the appropriate 7 cookies with its request at this stage:

GET / HTTP/1.1
Host: f012.mail.lycos.nl
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://secure.mail.lycos.nl/services/signin/mail.jsp
Cookie: ADPROFILE=01970000000000000000000000000FR00000; lsua=d2Via2l0LXRlc3Q6V2Via2l0OlRlc3RlcjpubA%3D%3D; lsud=c4e4775f9f942ea81d748957c62cc623%3A1138194141; LBC=52115396c45258005d8ee3902b17277; SERVERS=f012.mail.lycos.nl#; IDENTIFIANT=YRWYYSLTMQWLLZLZWSUTLKVNZXMWTMPZKLOVRLSTXXUVTPQOXUWRQTRYNNLVNLXZMXNXXXYNWNYVOVKY; AUTH=c4e4775f9f942ea81d748957c62cc623

Thus, this bug is a duplicate of Bug 3512.  (In fact, if you look at the two web sites, they must be using the same webmail software since they're laid out similarly and use very similar URLs.)

*** This bug has been marked as a duplicate of 3512 ***
Comment 7 Ruben Smits 2006-02-03 12:52:45 PST
Apple: <rdar://problem/4431359>
Comment 8 David Kilzer (:ddkilzer) 2006-02-03 13:15:39 PST
Added back keywords that were removed.
Comment 9 David Kilzer (:ddkilzer) 2006-02-03 13:18:06 PST
*sigh*  This never had the Regression keyword.