Version: (using KDE KDE 3.0.99) Installed from: Mandrake RPMs OS: Linux I can't see any evidence that konqueror honours cookie expiry times. That is, I have a CGI that generates a cookie that konqueror dutifully saves. This cookie has an expiry time as it's used for database access. To prevent long-running access my cookies are generated with an expiry time. Regardless of the expiry time set (which is shown correctly in the cookie manager in konqueror preferences), the expiry time is not honoured. That is, after the expiry time has elapsed, the cookie is still presented by konqueror to the CGIs that are then invoked. This behaviour does not occur for: - Netscape 4.x (Windows/Linux) - Mozilla 0.9.x, 1.1/1.2 (Linux) - IE 5.5 and IE 6 for Windows - IE for MacOS X. Given that, I'm reasonably confident that this is a failure specific to konqueror. I had a look through the other cookie related problems for konqueror and while there are some problems that are of a similar nature, none appear to deal with failing to obey expiry time for cookies.
I should note: This problem occurs with the standard KDE 3.0.3 that comes with Mandrake 9 and KDE 3.1 RC5 from the Mandrake Cooker section.
It would appear that cookies that should expire are expired if you restart konqueror.
i tried with 1.php <? setCookie("foo","bar",time()+60,"/"); ?> and 2.php <? if (isset($foo)) { print("foo is set"); } else { print ("foo is not set"); } ?> it seems to work correctly (after a while, 2.php says 'foo is not set' again) kde 3.1RC6 (and i just tested with 3.0.5a too) you can test it here http://kervel.mine.nu:8080/~kervel/cookietest/1.php http://kervel.mine.nu:8080/~kervel/cookietest/2.php http://kervel.mine.nu:8080/~kervel/cookietest/3.php deletes the cookie by giving it a past expire time.
Subject: Re: Cookie expiry vulnerability security flaw Hi, OK, so it works with PHP. I wonder if it's a CGI only problem? Mind you, you're using two versions I haven't had a chance to test yet so I'll try RC6 as soon as the cooker RPMs are releaseed... Cheers, -Preston. kervel@drie.kotnet.org wrote: > ------- You are receiving this mail because: ------- > You reported the bug, or are watching the reporter. > > http://bugs.kde.org/show_bug.cgi?id=52776 > > > > > ------- Additional Comments From kervel@drie.kotnet.org 2003-01-09 04:20 ------- > i tried with > 1.php > <? > setCookie("foo","bar",time()+60,"/"); > ?> > > and > 2.php > <? > if (isset($foo)) { > print("foo is set"); > } else { > print ("foo is not set"); > } > ?> > > it seems to work correctly (after a while, 2.php says 'foo is not set' > again) > kde 3.1RC6 (and i just tested with 3.0.5a too) > > you can test it here > > http://kervel.mine.nu:8080/~kervel/cookietest/1.php > > http://kervel.mine.nu:8080/~kervel/cookietest/2.php > > http://kervel.mine.nu:8080/~kervel/cookietest/3.php deletes the cookie by giving > it a past expire time.
Subject: Re: Cookie expiry vulnerability security flaw Please provide a URL where we can reproduce this behaviour. If you set the cookie policy to ask, what is the expire time as reported by the cookie dialog? Cheers, Waldo
Subject: Re: Cookie expiry vulnerability security flaw > ------- Additional Comments From bastian@kde.org 2003-01-09 13:16 ------- > Subject: Re: Cookie expiry vulnerability security flaw > > Please provide a URL where we can reproduce this behaviour. If you set the > cookie policy to ask, what is the expire time as reported by the cookie > dialog? It will take me +3 weeks to supply a URL at the moment as I'm on the road and don't have access to an externally available webserver. However, here's a snippet of CGI code... use CGI; my $query = new CGI; my $cookie = $query->cookie(-name=>"CookieName", -value=>"$username|$password", -expires=>"+1h"); print $query->header(-cookie=>[$cookie]); print $query->end_html; I don't know if attachments are accepted by the bug list but I've attached a screen-shot of the offending cookie. This was from me logging into the system a few minutes ago :) The "expires" string on the cookie is "2003-01-10 09:28", which means it should expire at 09:28 this morning. However, experience tells me that it will remain there until such time as I restart konqueror. Cheers, -Preston de Guise.
Subject: Re: Cookie expiry vulnerability security flaw > ------- Additional Comments From bastian@kde.org 2003-01-09 13:16 ------- > Subject: Re: Cookie expiry vulnerability security flaw > > Please provide a URL where we can reproduce this behaviour. If you set the > cookie policy to ask, what is the expire time as reported by the cookie > dialog? I should have answered your second question - sorry. I'll blame that on a lack of coffee :) If I turn on prompt-for-confirmation for the cookies it correctly shows an expiry time 1 hour into the future - e.g., 2002-01-10 09:34 Cheers, -Preston
Fixed. Back ported into the upcoming 3.1 release branch as well. See http://lists.kde.org/?t=104208048400003&r=1&w=2. Regards, Dawit A.
Subject: Re: Cookie expiry vulnerability security flaw Hi, Dawit Alemayehu wrote: > ------- You are receiving this mail because: ------- > You reported the bug, or are watching the reporter. > > http://bugs.kde.org/show_bug.cgi?id=52776 > adawit@kde.org changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Status|UNCONFIRMED |RESOLVED > Resolution| |FIXED > > > > ------- Additional Comments From adawit@kde.org 2003-01-10 02:56 ------- > Fixed. Back ported into the upcoming 3.1 release branch as well. See > http://lists.kde.org/?t=104208048400003&r=1&w=2. Thanks to everyone for working on this. Again I'm much impressed with the efforts of the KDE team. I look forward to trying to next release. Cheers, -Preston