36122 – authentication in popup window sending back cookie

Bug 36122 - authentication in popup window sending back cookie

Summary: authentication in popup window sending back cookie

Status:	RESOLVED DUPLICATE of bug 64182

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	kcookiejar (show other bugs)
Version:	unspecified
Platform:	unspecified Other

Importance:	NOR normal
Target Milestone:	---
Assignee:	Unassigned bugs mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2001-12-13 12:03 UTC by David Morel
Modified:	2003-12-11 10:09 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description David Morel 2001-12-13 11:52:38 UTC

(*** This bug was imported into bugs.kde.org ***)

Package: kcookiejar

login w/ cookie problem

in index.php i open a popup for authentication with a href="window.open..."
in this popup is loaded login.php in which I have a form sending user+pass 
back to itsef. 2 cookies are then sent on successful login (user_name and 
id_hash). 

But they are properly received only if i open login.php in the main window: 
If i login through the child window (which is nicer in my opinion) the 
cookies never make it. If i type "login.php" in the main window and proceed  
the cookies are accepted.

example : www.hepik.org
apache l/p : fnac/comitepartdieu
then on index.php click on 'S'identifier' in the left menu
popup appears. type l/p : abcdef/abcdef
cookies are sent but not taken into account.
now try loading login.php in main window l/p:abcdef/abcdef
once sent reload index.php u can see left menu has changed and cookies are 
accepted.

I am using RH7.2 kernel version 2.4.9
KDE 2.2.2 with Qt 2.3.1

-- 
David Morel
____________________________________
Attention ! 
nouvelle adresse : david.morel@amakuru.net

Comment 1 Waldo Bastian 2001-12-14 00:09:20 UTC

On Thursday 13 December 2001 03:52 am David Morel wrote:
> Package: kcookiejar
>
> login w/ cookie problem
>
> in index.php i open a popup for authentication with a
> href=3D"window.open..." in this popup is loaded login.php in which I hav=
e a
> form sending user+pass back to itsef. 2 cookies are then sent on successf=
ul
> login (user_name and id_hash).
>
> But they are properly received only if i open login.php in the main windo=
w:
> If i login through the child window (which is nicer in my opinion) the
> cookies never make it. If i type "login.php" in the main window and
> proceed the cookies are accepted.
>
> example : www.hepik.org
> apache l/p : fnac/comitepartdieu
> then on index.php click on 'S'identifier' in the left menu
> popup appears. type l/p : abcdef/abcdef
> cookies are sent but not taken into account.
> now try loading login.php in main window l/p:abcdef/abcdef
> once sent reload index.php u can see left menu has changed and cookies
> are accepted.

This is intended behaviour. Since your cookies don't specify an expire date=
=20
they are only valid for the lifetime of the session the session ends when=
=20
you close the window in which the cookies were issued.

Does your page work with other webbrowsers?=20

Cheers
Waldo

Comment 2 David Morel 2001-12-14 08:02:52 UTC

|> On Thursday 13 December 2001 03:52 am David Morel wrote:
|> > Package: kcookiejar
|> >
|> > login w/ cookie problem
|> >
|> > in index.php i open a popup for authentication with a
|> > href="window.open..." in this popup is loaded login.php in which I have
|> > a form sending user+pass back to itsef. 2 cookies are then sent on
|> > successful login (user_name and id_hash).
|> >
|> > But they are properly received only if i open login.php in the main
|> > window: If i login through the child window (which is nicer in my
|> > opinion) the cookies never make it. If i type "login.php" in the main
|> > window and proceed the cookies are accepted.
|> >
|> > example : www.hepik.org
|> > apache l/p : fnac/comitepartdieu
|> > then on index.php click on 'S'identifier' in the left menu
|> > popup appears. type l/p : abcdef/abcdef
|> > cookies are sent but not taken into account.
|> > now try loading login.php in main window l/p:abcdef/abcdef
|> > once sent reload index.php u can see left menu has changed and cookies
|> > are accepted.
|>
|> This is intended behaviour. Since your cookies don't specify an expire
|> date they are only valid for the lifetime of the session the session ends
|> when you close the window in which the cookies were issued.
|>
|> Does your page work with other webbrowsers?
|>
|> Cheers

Yes it does (mozilla 0.9.5 ie6). I understood the behaviour after sending 
the e-mail : if i refresh the main window while keeping the child window 
open it works ok. but if i close the child window it doesn't.
Problem is a cookie isn't supposed to be valid for a session/window but for 
all windows  pointing to the domain during a session right ?
The other navigators understand the word 'session' as 'until the browser app 
is closed' which might be much less secure i get your point. Wouldn't it be 
a nice idea to have the cookie destroyed only when all windows using it would 
be closed ? it would make it more usable AND very secure in my opinion: i 
don't like specifiing a lifetime (lifetime=0 == better security in my 
opinion ...provided the browser app is closed...)

congrats for kde as a whole !
-- 
David Morel
____________________________________
Attention ! 
nouvelle adresse : david.morel@amakuru.net

Comment 3 Jason Calabrese 2003-05-23 19:49:40 UTC

I'm having the same problem when a popup closes the cookie that is being used to 
track my session is removed.

Comment 4 Dawit Alemayehu 2003-12-11 10:09:52 UTC

Since we are using BR# 64182 to track the problem of session cookies and popup windows, I will mark it as duplicate of that one eventhough this bugs predates  it by over a year and a half.


*** This bug has been marked as a duplicate of 64182 ***