[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and pre
From: |
nobody |
Subject: |
[Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs |
Date: |
Mon, 23 Sep 2002 11:17:52 -0400 |
=================== BUG #1260: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1260&group_id=11
Changes by: Yann Dirson <address@hidden>
Date: 2002-Sep-23 17:17 (Europe/Paris)
------------------ Additional Follow-up Comments ----------------------------
"Adding cookies from other sites means reading cookies from other sites"
Why ? You can only read cookies if the browser sends them. That in itself
does not prevent a server to issue a setcookie or whatever for another site.
I understand it could be used by bad boys, and the netscape doc says "Only
hosts within the specified domain can set a cookie for a domain". But well, it
looks like a client-side issue whether to accept them, and eg. galeon seems to
be configured to accept them by default.
http://wp.netscape.com/newsref/std/cookie_spec.html
We could maybe get the same functionality using reasonable technologies. Eg.
have the page returned by the login form contain a simple form with just a
submit button visible, to automatically log into the sibling site.
Or a direct link to the sibling site, which would trigger login transparently,
but that may not be feasilble, or even a good idea.
=================== BUG #1260: FULL BUG SNAPSHOT ===================
Submitted by: ydirson Project: Savannah
Submitted on: 2002-Sep-23 10:25
Category: None Severity: 5 - Average
Priority: None Bug Group: None
Resolution: None Assigned to: None
Status: Open Effort: 0.00
Summary: New "nongnu.org" site breaks sessions and prefs
Original Submission: I just discovered that non-gnu projects appear to have
been migrated to savannah.nongnu.org - maybe some announcement should be done
so that people would know something changed.
As a consequence of this change, when I login as usual in s.gnu.org, then
follow an admin link to one of my projects, I reach an annoying "Insufficient
Group Access". If I login there, I do not get my prefs.
Follow-up Comments
*******************
-------------------------------------------------------
Date: 2002-Sep-23 17:17 By: ydirson
"Adding cookies from other sites means reading cookies from other sites"
Why ? You can only read cookies if the browser sends them. That in itself
does not prevent a server to issue a setcookie or whatever for another site.
I understand it could be used by bad boys, and the netscape doc says "Only
hosts within the specified domain can set a cookie for a domain". But well, it
looks like a client-side issue whether to accept them, and eg. galeon seems to
be configured to accept them by default.
http://wp.netscape.com/newsref/std/cookie_spec.html
We could maybe get the same functionality using reasonable technologies. Eg.
have the page returned by the login form contain a simple form with just a
submit button visible, to automatically log into the sibling site.
Or a direct link to the sibling site, which would trigger login transparently,
but that may not be feasilble, or even a good idea.
-------------------------------------------------------
Date: 2002-Sep-23 17:04 By: yeupou
"That sounds like a bug :)
If browsers have support to filter out such things, I supposed it's allowed by
the specs..."
I do not think it's a bug. It would be weird if a website would be able to
remove/change cookies from others sites.
For instance, I run toto.po, I do not like the server adadadd.hi: I just have
to put setcookie(blabadadad... "adadadd.hi"); to disturb each users from
adadadd.hi... And no one will now.
Worth, think about telerama.fr, which one have his users passwords stored
non-crypted in cookies....
Adding cookies from other sites means reading cookies from other sites...
-------------------------------------------------------
Date: 2002-Sep-23 16:52 By: ydirson
"apparently the function setcookie is unable to set the cookie domain unless
the domain choosed is the name of the server"
That sounds like a bug :)
If browsers have support to filter out such things, I supposed it's allowed by
the specs...
-------------------------------------------------------
Date: 2002-Sep-23 16:40 By: yeupou
The interest is having prefs without being logged in.
Anyway, apparently the function setcookie is unable to set the cookie domain
unless the domain choosed is the name of the server. It means that
savannah.gnu.org will probably not granted to set a cookie for
savannah.nongnu.org.
-------------------------------------------------------
Date: 2002-Sep-23 15:07 By: ydirson
What are the reasons behind having some prefs depending on cookies ? Eg., I
can't see why the selected theme is not in the db ?
To share the sessions, what about setting cookies for both sites at once ?
(hm, I currently block cookies not matching current website:)
-------------------------------------------------------
Date: 2002-Sep-23 14:52 By: yeupou
"Was such a mess worth the trouble ?"
Yes. Having gnu.org in the url of non-GNU projects is highly misleading.
"What about sharing at least prefs & such things ?"
Prefs that depends on the database are already share. Prefs that depends on
cookies not.
-------------------------------------------------------
Date: 2002-Sep-23 14:40 By: ydirson
Was such a mess worth the trouble ?
What about sharing at least prefs & such things ?
-------------------------------------------------------
Date: 2002-Sep-23 14:35 By: yeupou
« just discovered that non-gnu projects appear to have been migrated to
savannah.nongnu.org - maybe some announcement should be done so that people
would know something changed »
We wait for the mailing-list to works with the correct domain names.
The problem is that savannah.gnu.org and savannah.nongnu.org are two virtuals
hosts, understood as too differents servers. Session are stored via cookie for
a particular server. So you need to be logged in the two separate servers.
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1260&group_id=11
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs,
nobody <=
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/23
- [Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs, nobody, 2002/09/24