lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in


From: Thomas Dickey
Subject: Re: [Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Mon, 6 Jun 2011 04:17:52 -0400 (EDT)

On Mon, 6 Jun 2011, Shérab wrote:

Hello again Thomas and all,

I am forwarding two answers I got from the infrastructure mailing list
in charge of Drupal.org.
According to these answers, the problem might have more to do with
domain than with path attribute of cookies...

But anyway it's good to know there will ultimately be a solution...

Sherab.

----- Forwarded message from Damien Tournoud <address@hidden> -----

From: Damien Tournoud <address@hidden>
Subject: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Sun, 5 Jun 2011 17:11:16 +0200
To: "Drupal.org Infrastructure Maintainers" <address@hidden>,
        Shérab <address@hidden>

  Hi everyone,

  This is a well-known issue in Lynx. Lynx is known to implement the
  original Cookie RFC (RFC 2109) correctly; it is probably also the only
  browser that does.

  According to RFC 2109, the domain part of Set-Cookie *MUST* begin with
  a dot, and "[1]example.com" is not a "domain-match" for
  ".[2]example.com". As a consequence, cookies set for ".[3]drupal.org"
  do not apply to "[4]drupal.org". This (arguably silly) requirement has
  never been implemented by mainstream browsers and is now officially
  reverted by the newer RFC 6265.

Looking at my trace, I do see a ".", but was able to login.
So the problem is perhaps a little more obscure.

(I see that I have more work to do ;-)

  (More precisely, RFC 6265 mandates that browsers should ignore a
  leading "." in the Domain attribute if sent by the server. See section
  5.2.3. This is an extension of the behavior currently implemented in
  most browsers, and makes it impossible to have cookies that apply to
  [5]example.com, but not [6]x.example.com.)

  Not a lot of things we can do here. There might be some configuration
  options that forces lynx to behave better.

  Damien

  On Sun, Jun 5, 2011 at 3:01 PM, Greg Knaddison
  <address@hidden> wrote:

    I just tried logging in with Lynx built from scratch on a ~2.5 year
    old mac.
    Lynx Version 2.8.6rel.5 (09 May 2007)
    libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8k, ncurses 5.7.20081102
    Built on darwin9.5.0 Dec  4 2008 11:23:33
    It never logged me in. The /user page just presented itself again
    without any drupal_set_messaging stating a problem nor success.
    I ssh'd to an 8.04 Ubuntu server and tried logging in with the
    standard Lynx on that machine. I was redirect to my user page, but
    if
    I try to edit the page I am not actually logged in. The same is true
    for me on other sites running Drupal of approximately 6.21 vintage.
    I get the feeling that Lynx is either dropping cookies or Drupal
    isn't
    sending them back properly. I configured Lynx to warn about invalid
    cookies but didn't see any messages.
    Greg

  On Sun, Jun 5, 2011 at 6:07 AM, Shérab
  <address@hidden> wrote:
  > Hello again, randy and all,
  >
  > Randy Fay (2011/06/04 23:17 -0600):
  >> Â  Â I just logged into [1][9]drupal.org using lynx with no trouble
  at all.
  >
  > Are you really sure ?
  >
  > I mean: when I log in I indeed end um on my profile page, which can
  give
  > a feeling that the log in was successfully performed (which is true).
  > However, there are no links to modify the info on that page, so I
  think
  > I view it as if I were not loged in. In other words, although I land
  on
  > my profile page, I think I see it exactly the same way I'd see it if
  I
  > didn't log in at all, or if it was you looking at my profile page.
  >
  > Can you also observe this behaviour ?
  >
  > Best wishes,
  > Sherab.
  [10]http://lists.drupal.org/mailman/listinfo/infrastructure ]
  >

    --
    Greg Knaddison | [11]720-310-5623 |
    [12]http://growingventuresolutions.com
    Security Services for Drupal sites: [13]http://drupalscout.com

  --
  [ infrastructure |
  [14]http://lists.drupal.org/mailman/listinfo/infrastructure ]

Références

  1. http://example.com/
  2. http://example.com/
  3. http://drupal.org/
  4. http://drupal.org/
  5. http://example.com/
  6. http://x.example.com/
  7. mailto:address@hidden
  8. mailto:address@hidden
  9. http://drupal.org/
 10. http://lists.drupal.org/mailman/listinfo/infrastructure
 11. tel:720-310-5623
 12. http://growingventuresolutions.com/
 13. http://drupalscout.com/
 14. http://lists.drupal.org/mailman/listinfo/infrastructure

----- End forwarded message -----
----- Forwarded message from Damien Tournoud <address@hidden> -----

From: Damien Tournoud <address@hidden>
Subject: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Sun, 5 Jun 2011 19:59:50 +0200
To: "Drupal.org Infrastructure Maintainers" <address@hidden>

  Hello again,

  On Sun, Jun 5, 2011 at 6:50 PM, Shérab
  <address@hidden> wrote:

  > Â  Â According to RFC 2109, the domain part of Set-Cookie *MUST*
  begin with

    > Â  Â a dot, and "[1][2]example.com" is not a "domain-match" for
    > Â  Â ".[2][3]example.com". As a consequence, cookies set for
    ".[3][4]drupal.org"
    > Â  Â do not apply to "[4][5]drupal.org". This (arguably silly)
    requirement has

  > Â  Â never been implemented by mainstream browsers and is now
  officially
  > Â  Â reverted by the newer RFC 6265.

    So you are aware that the domain for the cookies sent by DO is
    "domain=.[6]drupal.org" ?
    I thought this is precisely the requirement...

  There are two significant requirements in RFC 2109:
  (1) the domain part of Set-Cookie *MUST* begin with a dot (that's
  what we have in [7]drupal.org)
  (2) a cookie set for ".[8]example.com" doesn't match "[9]example.com"
  and as a consequence should not be sent there
  Â

  > Â  Â Not a lot of things we can do here.

    Not even setting $cookie_domain in settings.php for [10]drupal.org ?
    Or perhaps would that introduce a regression ?

  The problem is precisely that in our case, we want the cookies to be
  valid for *both* [11]drupal.org and *.[12]drupal.org. That's not
  possible in RFC 2109, and it doesn't really matter anyway, because no
  browser (except Lynx) do respect this RFC.
  Damien

Références

  1. mailto:address@hidden
  2. http://example.com/
  3. http://example.com/
  4. http://drupal.org/
  5. http://drupal.org/
  6. http://drupal.org/
  7. http://drupal.org/
  8. http://example.com/
  9. http://example.com/
 10. http://drupal.org/
 11. http://drupal.org/
 12. http://drupal.org/

--
[ infrastructure | http://lists.drupal.org/mailman/listinfo/infrastructure ]


----- End forwarded message -----

_______________________________________________
Lynx-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/lynx-dev


--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

reply via email to

[Prev in Thread] Current Thread [Next in Thread]