[Savannah-dev] [Bug #1399] Problems with login cookies: don't work with http, only https

[nobody]

=================== BUG #1399: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1399&group_id=11

Changes by: Mathieu Roy <address@hidden>
Date: 2002-Oct-22 17:42 (Europe/Paris)

------------------ Additional Follow-up Comments ----------------------------
[INFONEEDED]
Just a precision: are you sure that not a browser cache trouble? 

For instance, if I try with links: 
I login, I'm redirected to https://savannah.gnu.org/my

If I go to http://savannah.gnu.org -which page is in my browser cache, since I 
previously been there, before login-,  I get a non-logged in page. 

If I type CTRL-R, which do a full page reload with links (same goes for many 
browsers, thought), then I get a logged in page.



=================== BUG #1399: FULL BUG SNAPSHOT ===================


Submitted by: psmith                    Project: Savannah                       
Submitted on: 2002-Oct-11 18:42
Category:  PHP Engine                   Severity:  5 - Average                  
Priority:  None                         Bug Group:  None                        
Resolution:  Works for me               Assigned to:  yeupou                    
Status:  Open                           Effort:  0.00                           

Summary:  Problems with login cookies: don't work with http, only https

Original Submission:  After I log in to Savannah, I have a cookie (I assume) 
that remembers my login.  This is fine with one problem: it only seems to be 
available if I use the https (SSL) connection.  If I type in a URL like 
http://savannah.gnu.org then my login is lost.  It would be nice if the cookie 
could be available even for non-SSL connections, since most of my bookmarks, 
etc. use simple http://...

If that can't be done, please modify the URLs that the trackers send out to use 
https://... instead of http://... so that when I get a new bug announcement I 
can click on the link and when it comes up in my browser it's using my existing 
login, rather than my having to edit the URL in the browser box to add the "s" 
to make it https://...  Note that it's fine to connect with https://... 
addresses even if you're not logged in; it works the same.

Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Oct-22 17:42             By: yeupou
[INFONEEDED]
Just a precision: are you sure that not a browser cache trouble? 

For instance, if I try with links: 
I login, I'm redirected to https://savannah.gnu.org/my

If I go to http://savannah.gnu.org -which page is in my browser cache, since I 
previously been there, before login-,  I get a non-logged in page. 

If I type CTRL-R, which do a full page reload with links (same goes for many 
browsers, thought), then I get a logged in page.

-------------------------------------------------------
Date: 2002-Oct-21 21:16             By: psmith
Sorry; you should install the "lynx-ssl" package.  I forgot it's a different 
package to get SSL support.

I don't use kerberos, I use ssh access.  Anyway, it shouldn't matter because, 
first, the new user account "psmithtst" I created is a simple Savannah-only 
user account: it has no development access and no login access to any GNU 
systems, etc.  It's the same kind of account that someone completely uninvolved 
with GNU would create through the Savannah web interface.  Second, you don't 
_have_ to create it logged into fencepost.  My "normal" account was not created 
through fencepost.

I was only using fencepost and lynx since I thought if we could both log into 
the same system and use the same browser utility, this could further eliminate 
potential differences that might be causing your setup to work and mine to fail.

-------------------------------------------------------
Date: 2002-Oct-21 21:02             By: yeupou
I've just the defaut Debian GNU/Linux sid's lynx version, and ssl support isnt 
compiled in. 

address@hidden:~$ dpkg --status lynx
Package: lynx
Status: install ok installed
Priority: standard
Section: web
Installed-Size: 3500
Maintainer: James Troup <address@hidden>
Version: 2.8.4.1b-3
Provides: www-browser, news-reader
Depends: libc6 (>= 2.2.4-4), libncurses5 (>= 5.2.20010310-1), zlib1g (>= 
1:1.1.3)
[...]

I cannot logged on fencepost, my access has not been restablished. I some kind 
problematic. I tried login with all the box that I can access, running 
different OS (on my personal network, RH 7.3 and Debian Sid, Debian Woody 
elsewhere) and still unable to reproduce that.

It may be not a matter of browser but of account. I assume the account you are 
using is kerberos account. It can be the cause of the trouble.
For instance, I'm not sure at all that I've checked every kerberos related 
stuff the last time I edited the login procedure.
Anyway, it remains weird, since if you uncheck "login also on sv.nongnu.org", 
the procedure should be exactly how it used to be.

Finally, I need to really recheck everything but for now I run of time. Maybe 
I'll do this in a few hours, or hopefully tomorrow. 

-------------------------------------------------------
Date: 2002-Oct-21 20:04             By: psmith
Compiling SSL into Lynx is optional.  If the version of lynx on your system 
doesn't support SSL it just means that it wasn't compiled with SSL.  If you log 
in to fencepost.gnu.org and use the version there (which is also the version 
provided in the latest Debian GNU/Linux distros) it will have SSL support 
compiled in.  After playing with Lynx I've never seen any "intermittent SSL 
problems", except this one, so I'm not sure what that means.

Anyway, if you check the previous messages of this case you'll see that I 
originally had the problem with Galeon/Mozilla, and I've also tried it with 
Netscape and got the same behavior.  I don't use Lynx at all normally, I just 
thought it would be easier to reproduce the problem and see that it wasn't a 
browser bug if we used a very simple browser like lynx, which doesn't have so 
many configuration options, cookie storage, etc. etc.

Were you able to reproduce the problem using the username/password of the test 
user that I provided?

-------------------------------------------------------
Date: 2002-Oct-21 19:02             By: yeupou
Note that, as told on the login page, lynx have intermittent trouble with ssl. 
I havent got any information about those troubles, but it's maybe simply that..

-------------------------------------------------------
Date: 2002-Oct-21 19:01             By: yeupou
In fact, I have trouble to test it. 

My links version
(address@hidden:~$ lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Compilé le linux-gnu Jan 26 2002 01:23:03

Copyright tenu par l'université du Kansas, du CERN, et d'autres contribuants
Distribué sous le permis de grand public de GNU
Voyez http://lynx.browser.org / et d'aide en ligne pour plus d'information.)

does not support ssl.


Can you (re !!)try with another browser?

-------------------------------------------------------
Date: 2002-Oct-21 18:43             By: psmith
Utterly bizarre!  I just created a whole new account, from scratch, and I still 
see the exact same behavior.  Here is a detailed, step-by-step account of 
exactly what I did:

Login to your account on fencepost.gnu.org.

$ cd ~

$ mv .lynxrc lynxrc-keep

$ /usr/bin/lynx http://savannah.gnu.org

Select "New User via SSL"

username: psmithtst
passwd:   <somepasswd>
username: Paul Smith test
email:    address@hidden
Receive updates left selected

Register

...wait for email...

Type "g" in lynx, then cut/paste the URL you got in the mail.

Enter login name and password (psmithtst / <somepasswd>), and select the 
"Login" link.

Lynx asks you if you want to allow this cookie; say "y".

Now you're logged in (under "Login Status:" you can see links to your homepage, 
etc.)

Type "g" in lynx, then enter "http://savannah.gnu.org";.  Now you're not logged 
in (under "Login Status:" it says "NOT LOGGED IN").

Type "g" in lynx, then enter "https://savannah.gnu.org";.  Now you're logged in 
again.

Repeat as many times as desired.

That's about as straightforward as it gets!  If you can't reproduce this 
following these steps, using lynx from fencepost and no customized .lynxrc 
file, etc., I simply don't know what to say!

I'll send you the password I used for the test account in a direct email, so 
you can try the account I created yourself.

-------------------------------------------------------
Date: 2002-Oct-20 11:43             By: yeupou
I done all this test. I still does not understand and be unable to reproduce 
this behavior.

-------------------------------------------------------
Date: 2002-Oct-12 18:30             By: psmith
I agree that, if the login issue can be fixed, you don't need to change the 
email URLs (although it couldn't hurt: it might be that people don't realize 
they aren't using a secure connection when they click those links).  My bug 
report said "if that can't be done, [then] please modify the URLs".

All I can say is that there must be something different about my Savannah 
account, or about your Savannah account, that is causing this.  I just tried 
with lynx as well, and I tried from home, and I still see the same behavior.

In fact, I just logged into my fencepost.gnu.org account and ran "lynx 
http://savannah.gnu.org";, then picked "Login via SSL", then logged in, then 
used "g" to get a URL prompt and typed in "http://savannah.gnu.org"; and... same 
thing.  Now I'm not logged in again.  Now I use "g" and enter 
"https://savannah.gnu.org"; and bingo, I'm logged in.

Maybe it's because your account is an admin account or something?  Or maybe in 
the past you've chosen the "remember me" option for your account and that makes 
it work?  Can you try creating a new account with no special privileges and not 
selecting "remember me" or the "login to nongnu" options, and doing this test 
there?

I'm willing to create a new account as well as a test, if you can delete it for 
me after we're done.  Let me know; thanks.

-------------------------------------------------------
Date: 2002-Oct-12 11:01             By: yeupou
"First, let me be more clear; when I said "URLs the tracker sends out" I meant 
the ones that appear in the _email_ notifications, not on the web page; none of 
the emailed URLs use https:// they all use http://. Sorry, I didn't explain 
that well at all :-/."

Ok, but I do not see particular reason to send a mail with https.

The problem is the fact that you cannot be logged in via http but only via 
https.

My problem is the fact that I clearly cannot reproduce your problem, with n any 
browsers I can access. 

Can someone else of the savannah hackers give it a try.

I tried with
RedHat 7.3  : mozilla, galeon, konqueror, links
Debian 3.0 : links




-------------------------------------------------------
Date: 2002-Oct-11 19:34             By: psmith
First, let me be more clear; when I said "URLs the tracker sends out" I meant 
the ones that appear in the _email_ notifications, not on the web page; none of 
the emailed URLs use https:// they all use http://.  Sorry, I didn't explain 
that well at all :-/.

I'm using Debian GNU/Linux 3.0 with Galeon 1.2.5, with the Mozilla 1.0.0 
engine.  But, this is not a new thing; it's been happening for a few versions 
of each.

And, it definitely doesn't work.  In fact I just did it again: I have Galeon 
started and I'm looking at a Savannah page where I'm logged in.  I got the 
email for the update to this bug and I clicked the "http://..."; link in the 
email.  It opened a new tab in Galeon which pointed to this page, _BUT_ it said 
"you are not logged in", etc.  I edited the URL box at the top to add the "s" 
to change it to "https://...";  and then I got to the same page, but this time I 
*am* logged in.

I just started Netscape 4.77 and got the same behavior there as well.  This is 
exactly what I did:

  * Start a new copy of the browser, to be sure no previous logins exist (I do 
_NOT_ check the "remember me" box when I log in).

  * In the URL box type "http://savannah.gnu.org"; (no quotes obviously).  Hit 
RETURN.

  * You are now not logged in, on the Savannah homepage.  Click the "login via 
SSL" link on the left.

  * In the login page enter your username/password.  I have "stay in SSL" 
selected, but neither of the other two (enable for nongnu or remember me).

  * I now am sent to "https://savannah.gnu.org/my"; and I am logged in.

  * I now edit the URL box and remove the "s" and the "/my", so it says 
"http://savannah.gnu.org"; again.  I hit RETURN (removing the /my is optional; 
if you don't do that you'll be sent back to the login screen).

Now I'm staring at the Savannah main page, and again I'm not logged in!  If I 
edit the URL back to have the "s", now I am logged in again.  Etc.

-------------------------------------------------------
Date: 2002-Oct-11 19:13             By: yeupou
Cookies are set for the domain name, whatever the connection is secured or not. 
This is strange.

Can you give details about the browser you are using? 


Also, note that when you are on a page with https, all the links should begin 
with https. If not, it's a bug. If you find a bug like this, please give us 
pointers to the concerned pages.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=1399&group_id=11