[Savannah-dev] [Bug #1260] New "nongnu.org" site breaks sessions and prefs

[nobody]

=================== BUG #1260: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1260&group_id=11

Changes by: Mathieu Roy <address@hidden>
Date: 2002-Sep-23 17:26 (Europe/Paris)

            What     | Removed                   | Added
---------------------------------------------------------------------------
         Assigned to | None                      | yeupou


------------------ Additional Follow-up Comments ----------------------------
My test were done by using galeon.

You latest idea seems fine to me. I'll test this.



=================== BUG #1260: FULL BUG SNAPSHOT ===================


Submitted by: ydirson                   Project: Savannah                       
Submitted on: 2002-Sep-23 10:25
Category:  None                         Severity:  5 - Average                  
Priority:  None                         Bug Group:  None                        
Resolution:  None                       Assigned to:  yeupou                    
Status:  Open                           Effort:  0.00                           

Summary:  New "nongnu.org" site breaks sessions and prefs

Original Submission:  I just discovered that non-gnu projects appear to have 
been migrated to savannah.nongnu.org - maybe some announcement should be done 
so that people would know something changed.

As a consequence of this change, when I login as usual in s.gnu.org, then 
follow an admin link to one of my projects, I reach an annoying "Insufficient 
Group Access".  If I login there, I do not get my prefs.

Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Sep-23 17:26             By: yeupou
My test were done by using galeon.

You latest idea seems fine to me. I'll test this.

-------------------------------------------------------
Date: 2002-Sep-23 17:17             By: ydirson
"Adding cookies from other sites means reading cookies from other sites"

Why ?  You can only read cookies if the browser sends them.  That in itself 
does not prevent a server to issue a setcookie or whatever for another site.

I understand it could be used by bad boys, and the netscape doc says "Only 
hosts within the specified domain can set a cookie for a domain".  But well, it 
looks like a client-side issue whether to accept them, and eg. galeon seems to 
be configured to accept them by default.

http://wp.netscape.com/newsref/std/cookie_spec.html


We could maybe get the same functionality using reasonable technologies.  Eg. 
have the page returned by the login form contain a simple form with just a 
submit button visible, to automatically log into the sibling site.

Or a direct link to the sibling site, which would trigger login transparently, 
but that may not be feasilble, or even a good idea.

-------------------------------------------------------
Date: 2002-Sep-23 17:04             By: yeupou
"That sounds like a bug :)
If browsers have support to filter out such things, I supposed it's allowed by 
the specs..."


I do not think it's a bug. It would be weird if a website would be able to 
remove/change cookies from others sites.

For instance, I run toto.po, I do not like the server adadadd.hi: I just have 
to put setcookie(blabadadad... "adadadd.hi");  to disturb each users from 
adadadd.hi... And no one will now.
Worth, think about telerama.fr, which one have his users passwords stored  
non-crypted in cookies....
Adding cookies from other sites means reading cookies from other sites...


-------------------------------------------------------
Date: 2002-Sep-23 16:52             By: ydirson
"apparently the function setcookie is unable to set the cookie domain unless 
the domain choosed is the name of the server"

That sounds like a bug :)
If browsers have support to filter out such things, I supposed it's allowed by 
the specs...


-------------------------------------------------------
Date: 2002-Sep-23 16:40             By: yeupou
The interest is having prefs without being logged in.


Anyway, apparently the function setcookie is unable to set the cookie domain 
unless the domain choosed is the name of the server. It means that 
savannah.gnu.org will probably not granted to set a cookie for 
savannah.nongnu.org.



-------------------------------------------------------
Date: 2002-Sep-23 15:07             By: ydirson
What are the reasons behind having some prefs depending on cookies ?  Eg., I 
can't see why the selected theme is not in the db ?

To share the sessions, what about setting cookies for both sites at once ?
(hm, I currently block cookies not matching current website:)


-------------------------------------------------------
Date: 2002-Sep-23 14:52             By: yeupou
"Was such a mess worth the trouble ?"

Yes.  Having gnu.org in the url of non-GNU projects is highly misleading.

"What about sharing at least prefs & such things ?"

Prefs that depends  on the database are already share. Prefs that depends on 
cookies not.

-------------------------------------------------------
Date: 2002-Sep-23 14:40             By: ydirson
Was such a mess worth the trouble ?
What about sharing at least prefs & such things ?


-------------------------------------------------------
Date: 2002-Sep-23 14:35             By: yeupou
« just discovered that non-gnu projects appear to have been migrated to 
savannah.nongnu.org - maybe some announcement should be done so that people 
would know something changed »

We wait for the mailing-list to works with the correct domain names.

The problem is that savannah.gnu.org and savannah.nongnu.org are two virtuals 
hosts, understood as too differents servers. Session are stored via cookie for 
a particular server. So you need to be logged in the two separate servers.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1260&group_id=11