Bug 84232 - [testcase] Strange behaviour with sessions, domains and frames
Summary: [testcase] Strange behaviour with sessions, domains and frames
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: kcookiejar (show other bugs)
Version: unspecified
Platform: Gentoo Packages Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 79226 139504 150869 197510 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-06-29 23:08 UTC by Jose Antonio
Modified: 2012-05-08 16:15 UTC (History)
7 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jose Antonio 2004-06-29 23:08:07 UTC
Version:            (using KDE KDE 3.2.2)
Installed from:    Gentoo Packages
Compiler:          gcc (GCC) 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7) 
OS:                Linux

Maybe this is not a bug, but the behaviour doesn't reproduce in other browsers (Mozilla, Firefox, Safari and IE). I'll explain the whole story for a better understanding:
I have a php website in http://khazaddum.no-ip.com (dynamic IP) and I have registered a domain name (http://lakamarilla.org). If you open lakamarilla, you'll see an html static file that contains only a frame. In this frame, khazaddum.no-ip.com is loaded, so in the address bar you see only "http://lakamarilla.org".
In other browsers, you can start a session from the frame, and once it's started, you can logout closing the session. The session info is stored in $HTTP_SESSION_VARS['valid-user']. It works fine.
However, in konqueror, when you log in, this variable remains empty, so the session is not started. I have tried accepting all cookies and considering them "session cookies" but the problem remains.
If you open khazaddum, instead of lakamarilla, you don't have any problems, since there is only one domain and no frames.
I think this can be a bug because I have tested it in other browsers and doesn't reproduce.
Comment 1 Jose Antonio 2004-06-29 23:30:14 UTC
I have made the following test. I have created an html file in my $HOME. This is the source (without > and <):
html
head
title kdebugs /title
/head
frameset
frame src="http://bugs.kde.org"
/frameset
/html
If you open this page in mozilla, and you log in, you can see the "log out link" (the session is started). If you open the page in konqueror, and log in, you see the "log in" link, instead of "log out".
Comment 2 Louai Al-Khanji 2006-08-30 16:24:17 UTC
I can confirm using the bugs.kde.org above test case.
Comment 3 Philip Rodrigues 2006-08-30 17:20:19 UTC
Confirmed on r575787 with the b.k.o testcase
Comment 4 Louai Al-Khanji 2006-08-30 20:30:58 UTC
*** Bug 79226 has been marked as a duplicate of this bug. ***
Comment 5 Christophe Marin 2008-06-02 13:06:34 UTC
*** Bug 139504 has been marked as a duplicate of this bug. ***
Comment 6 Jaime Torres 2008-07-20 00:42:28 UTC
This works in konqueror 4.1.60 svn trunk 831729, using the testcase in comment #1, I can login in b.k.o
Comment 7 Philip Rodrigues 2008-07-26 15:31:03 UTC
Hrm, for me in trunk, I can log in, but if I then click on "bug tracking home", the bug tracking home page has a "log in" link (ie, it thinks I'm not logged in.
Comment 8 Dawit Alemayehu 2010-09-29 09:41:45 UTC
(In reply to comment #7)
> Hrm, for me in trunk, I can log in, but if I then click on "bug tracking home",
> the bug tracking home page has a "log in" link (ie, it thinks I'm not logged
> in.

This is the correct behavior when the "Only accept cookies from originating server" aka (3rd party cookies) option has been checked. It protects you against cross-domain cookie stealing using frames...
Comment 9 Dawit Alemayehu 2010-12-27 04:34:02 UTC
*** Bug 150869 has been marked as a duplicate of this bug. ***
Comment 10 Dawit Alemayehu 2010-12-27 04:35:01 UTC
*** Bug 197510 has been marked as a duplicate of this bug. ***
Comment 11 Dawit Alemayehu 2011-05-26 01:43:21 UTC
At least for the bugs.kde.org, I state for sure that it is the intended behavior caused by the fact that kcookiejar will not send cookies marked secure to non-secure sites even if the hostnames are the same. You actually do not need any framed sites to duplicate this condition. You can see it by simply loging into bugs.kde.org and visiting the SSL and non-SSL version of this bug report:

https://bugs.kde.org/show_bug.cgi?id=84232
http://bugs.kde.org/show_bug.cgi?id=84232

When you visit the latter link it will tell you that you are not logged in, even though you are, because the secure session cookies will never be sent to the non-secure version of the same site whenever the cookie is marked as such. Hence, that is not a bug, but a correct behavior that is intended to protect you against information leak.
Comment 12 Dawit Alemayehu 2012-05-08 16:15:10 UTC
KDE 3 is no longer maintained. However, for resolution to the problems reported here, see comment #8 and comment #11. Also, the test scenario given in comment #1 works just fine here in KDE 4.8.3. Feel free to reopen this ticket if that is not the case for you.