[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in to d
From: |
Shérab |
Subject: |
[Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org |
Date: |
Mon, 6 Jun 2011 10:14:54 +0200 |
Hello again Thomas and all,
I am forwarding two answers I got from the infrastructure mailing list
in charge of Drupal.org.
According to these answers, the problem might have more to do with
domain than with path attribute of cookies...
But anyway it's good to know there will ultimately be a solution...
Sherab.
----- Forwarded message from Damien Tournoud <address@hidden> -----
From: Damien Tournoud <address@hidden>
Subject: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Sun, 5 Jun 2011 17:11:16 +0200
To: "Drupal.org Infrastructure Maintainers" <address@hidden>,
Shérab <address@hidden>
Hi everyone,
This is a well-known issue in Lynx. Lynx is known to implement the
original Cookie RFC (RFC 2109) correctly; it is probably also the only
browser that does.
According to RFC 2109, the domain part of Set-Cookie *MUST* begin with
a dot, and "[1]example.com" is not a "domain-match" for
".[2]example.com". As a consequence, cookies set for ".[3]drupal.org"
do not apply to "[4]drupal.org". This (arguably silly) requirement has
never been implemented by mainstream browsers and is now officially
reverted by the newer RFC 6265.
(More precisely, RFC 6265 mandates that browsers should ignore a
leading "." in the Domain attribute if sent by the server. See section
5.2.3. This is an extension of the behavior currently implemented in
most browsers, and makes it impossible to have cookies that apply to
[5]example.com, but not [6]x.example.com.)
Not a lot of things we can do here. There might be some configuration
options that forces lynx to behave better.
Damien
On Sun, Jun 5, 2011 at 3:01 PM, Greg Knaddison
<address@hidden> wrote:
I just tried logging in with Lynx built from scratch on a ~2.5 year
old mac.
Lynx Version 2.8.6rel.5 (09 May 2007)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8k, ncurses 5.7.20081102
Built on darwin9.5.0 Dec  4 2008 11:23:33
It never logged me in. The /user page just presented itself again
without any drupal_set_messaging stating a problem nor success.
I ssh'd to an 8.04 Ubuntu server and tried logging in with the
standard Lynx on that machine. I was redirect to my user page, but
if
I try to edit the page I am not actually logged in. The same is true
for me on other sites running Drupal of approximately 6.21 vintage.
I get the feeling that Lynx is either dropping cookies or Drupal
isn't
sending them back properly. I configured Lynx to warn about invalid
cookies but didn't see any messages.
Greg
On Sun, Jun 5, 2011 at 6:07 AM, Shérab
<address@hidden> wrote:
> Hello again, randy and all,
>
> Randy Fay (2011/06/04 23:17 -0600):
>> Â Â I just logged into [1][9]drupal.org using lynx with no trouble
at all.
>
> Are you really sure ?
>
> I mean: when I log in I indeed end um on my profile page, which can
give
> a feeling that the log in was successfully performed (which is true).
> However, there are no links to modify the info on that page, so I
think
> I view it as if I were not loged in. In other words, although I land
on
> my profile page, I think I see it exactly the same way I'd see it if
I
> didn't log in at all, or if it was you looking at my profile page.
>
> Can you also observe this behaviour ?
>
> Best wishes,
> Sherab.
[10]http://lists.drupal.org/mailman/listinfo/infrastructure ]
>
--
Greg Knaddison | [11]720-310-5623 |
[12]http://growingventuresolutions.com
Security Services for Drupal sites: [13]http://drupalscout.com
--
[ infrastructure |
[14]http://lists.drupal.org/mailman/listinfo/infrastructure ]
Références
1. http://example.com/
2. http://example.com/
3. http://drupal.org/
4. http://drupal.org/
5. http://example.com/
6. http://x.example.com/
7. mailto:address@hidden
8. mailto:address@hidden
9. http://drupal.org/
10. http://lists.drupal.org/mailman/listinfo/infrastructure
11. tel:720-310-5623
12. http://growingventuresolutions.com/
13. http://drupalscout.com/
14. http://lists.drupal.org/mailman/listinfo/infrastructure
----- End forwarded message -----
----- Forwarded message from Damien Tournoud <address@hidden> -----
From: Damien Tournoud <address@hidden>
Subject: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Sun, 5 Jun 2011 19:59:50 +0200
To: "Drupal.org Infrastructure Maintainers" <address@hidden>
Hello again,
On Sun, Jun 5, 2011 at 6:50 PM, Shérab
<address@hidden> wrote:
> Â Â According to RFC 2109, the domain part of Set-Cookie *MUST*
begin with
> Â Â a dot, and "[1][2]example.com" is not a "domain-match" for
> Â Â ".[2][3]example.com". As a consequence, cookies set for
".[3][4]drupal.org"
> Â Â do not apply to "[4][5]drupal.org". This (arguably silly)
requirement has
> Â Â never been implemented by mainstream browsers and is now
officially
> Â Â reverted by the newer RFC 6265.
So you are aware that the domain for the cookies sent by DO is
"domain=.[6]drupal.org" ?
I thought this is precisely the requirement...
There are two significant requirements in RFC 2109:
(1) the domain part of Set-Cookie *MUST* begin with a dot (that's
what we have in [7]drupal.org)
(2) a cookie set for ".[8]example.com" doesn't match "[9]example.com"
and as a consequence should not be sent there
Â
> Â Â Not a lot of things we can do here.
Not even setting $cookie_domain in settings.php for [10]drupal.org ?
Or perhaps would that introduce a regression ?
The problem is precisely that in our case, we want the cookies to be
valid for *both* [11]drupal.org and *.[12]drupal.org. That's not
possible in RFC 2109, and it doesn't really matter anyway, because no
browser (except Lynx) do respect this RFC.
Damien
Références
1. mailto:address@hidden
2. http://example.com/
3. http://example.com/
4. http://drupal.org/
5. http://drupal.org/
6. http://drupal.org/
7. http://drupal.org/
8. http://example.com/
9. http://example.com/
10. http://drupal.org/
11. http://drupal.org/
12. http://drupal.org/
--
[ infrastructure | http://lists.drupal.org/mailman/listinfo/infrastructure ]
----- End forwarded message -----
- [Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org,
Shérab <=