Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firefox sending expired cookies? Anyone see this?
423 views
Skip to first unread message
Dmitry Safonov
Jul 16, 2014, 4:44:02 PM7/16/14
to support...@lists.mozilla.org
So I'll get right down to it. When we send a cookie, we actually store
the expiry date in the cookie value. It's the same one we send to the
browser. *ONLY* from Firefox, we're getting a shitload of requests from
cookies that *should* have expired. As in, our expiration time in the
cookie is way in the past, but the cookie is still being sent. Only from
Firefox.
I thought, maybe timezones? Nah we're calculating all that shit
server-side, and in unix time. Difference between the Set-Cookie and
what we're setting in the value? Nah, same code calculates it. Someone
fucking with us? Nope... Doesn't look like it. Happens for a lot of
people without any kind of pattern, and people who look like legit users.
And it ONLY happens with Firefox. Now, I'm 99.9% sure Firefox isn't
sending expired cookies, and we can't repro it, but it does happen, and
it only happens with Firefox. Literally no other browser has hit our "oh
this cookie should have expired check" other than FF 25 through 30.
So, I ask you... wtf?
--
*Dmitry Safonov*
Software Developer, Uberflip
the expiry date in the cookie value. It's the same one we send to the
browser. *ONLY* from Firefox, we're getting a shitload of requests from
cookies that *should* have expired. As in, our expiration time in the
cookie is way in the past, but the cookie is still being sent. Only from
Firefox.
I thought, maybe timezones? Nah we're calculating all that shit
server-side, and in unix time. Difference between the Set-Cookie and
what we're setting in the value? Nah, same code calculates it. Someone
fucking with us? Nope... Doesn't look like it. Happens for a lot of
people without any kind of pattern, and people who look like legit users.
And it ONLY happens with Firefox. Now, I'm 99.9% sure Firefox isn't
sending expired cookies, and we can't repro it, but it does happen, and
it only happens with Firefox. Literally no other browser has hit our "oh
this cookie should have expired check" other than FF 25 through 30.
So, I ask you... wtf?
--
*Dmitry Safonov*
Software Developer, Uberflip
WaltS48
Jul 16, 2014, 5:00:55 PM7/16/14
to
file a bug at <https://bugzilla.mozilla.org/>
No developers here.
--
Sponsored by Thunderbird 24.6.0 or 31.0b3
Pittsburgh Vintage Grand Prix - July 11-20, 2014
<http://www.pvgp.org/>
GO Bucs!
PietB
Jul 17, 2014, 5:00:05 PM7/17/14
to
Dmitry Safonov wrote:
> So I'll get right down to it. When we send a cookie, we actually store
> the expiry date in the cookie value. It's the same one we send to the
> browser. *ONLY* from Firefox, we're getting a shitload of requests from
> cookies that *should* have expired. As in, our expiration time in the
> cookie is way in the past, but the cookie is still being sent. Only from
> Firefox.
Consider the following Privacy combination of settings:
> So I'll get right down to it. When we send a cookie, we actually store
> the expiry date in the cookie value. It's the same one we send to the
> browser. *ONLY* from Firefox, we're getting a shitload of requests from
> cookies that *should* have expired. As in, our expiration time in the
> cookie is way in the past, but the cookie is still being sent. Only from
> Firefox.
1) Firefox will: Use custom settings for history
2) (checked) Accept cookies from sites
3) Keep until: I close Firefox
4) (checked) Clear history when Firefox closes
5) Settings of the latter:
When I close Firefox, automatically clear the following:
(*unchecked*!) Cookies
Note the contradiction between 3) and 5). Might this combination,
or only 5), cause the odd behaviour?
-p
Dmitry Safonov
Jul 17, 2014, 5:17:56 PM7/17/14
to Firefox help community
I imagine it would check if the cookie was expired before sending it, even if it wasn't cleared on session close. That'd be a pretty big bug otherwise and we wouldn't be the first to notice it
Sent from my mobile device.
> _______________________________________________
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to support-fir...@lists.mozilla.org?subject=unsubscribe
Sent from my mobile device.
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to support-fir...@lists.mozilla.org?subject=unsubscribe
0 new messages