Bug 135175

Summary: Per-site cookie policy does not apply to cookies set for subdomains
Product: [Applications] konqueror Reporter: Tap
Component: kcookiejarAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: flameeyes, georg.wittenburg
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Cookie domain patch

Description Tap 2006-10-06 01:49:42 UTC 
Version:           3.5.4 (using KDE 3.5.4, compiled sources)
Compiler:          gcc version 3.4.6
OS:                Linux (i686) release 2.4.33

I have the default cookie policy set to Reject all cookies, and an individual domain entry for .livejournal.com set to Accept. However, when I try to log in, it fails, because one of the (four) cookies LiveJournal sets, ljmastersession, is specifically keyed to the domain .www.livejournal.com, and is not sent back in subsequent requests.

Adding a separate domain entry for .www.livejournal.com and setting it to Accept causes the cookie to be sent.

However, I think having a domain entry for .livejournal.com should cause all cookies set specifically to subdomains to also be sent.

How to reproduce: Go to www.livejournal.com with the above cookie settings and try to log in. LiveJournal only presents another login form, and running tcpdump shows that ljuniq, ljsession, and ljloggedin are sent, while ljmastersession is not.
Comment 1 P. Varet 2006-11-01 05:23:50 UTC 
Bug confirmed.

There are two aspects to this bug:

1) When a cookie is set with a specific host as its cookie-domain (in this particular case, www.livejournal.com), Konqueror seeks to apply the non-existent policy for domain .www.livejournal.com instead of using that of .livejournal.com, because it mixes up policy domains, as specified by the user, and cookie domains, as set in each cookie. If the cookie's domain doesn't exactly match an existing policy domain, typically when the cookie's domain is a specific host, you're out of luck.

2) Checks on policy domains don't check the policy of parent domains.

The fix for #1 is thankfully very simple. Patch follows.

If the KDE developers judge it necessary, I'll try to write a patch to correct #2 as well, although the following micropatch is sufficient to make livejournal (and other sites) work fine.
Comment 2 P. Varet 2006-11-01 05:25:58 UTC 
Created attachment 18341 [details]
Cookie domain patch

Patch against branches/KDE/3.5; should work against earlier versions as well.
Comment 3 Diego Elio Pettenò 2006-12-01 02:48:54 UTC 
Is something going on on this, or should distribution consider applying the patch till somebody can take care of this upstream?
Comment 4 Dawit Alemayehu 2007-09-03 09:50:52 UTC 
SVN commit 707870 by adawit:

- Fix livejournal login problem as reported by BR# 135175. Accepted patch by Sundance.
  Verified by the cookiejar tester.

BUG:135175



 M  +1 -1      kcookiejar.cpp  


--- trunk/KDE/kdelibs/kioslave/http/kcookiejar/kcookiejar.cpp #707869:707870
@@ -560,7 +560,7 @@
     if (cookiePtr->domain().isEmpty())
        stripDomain( cookiePtr->host(), domain);
     else
-       domain = cookiePtr->domain();
+       stripDomain( cookiePtr->domain(), domain);
     return domain;
 }
Comment 5 Dawit Alemayehu 2007-09-03 09:56:40 UTC 
*** Bug 121197 has been marked as a duplicate of this bug. ***