Forum OpenACS Q&A: Mozilla and cookies and SSL

Collapse
Posted by Rich Graves on
Problem on both my.brandeis.edu (ACS 3.4.10) and www.wgbh.org (still
ACS 4.x TCL I believe):

Mozilla 20020416 does not work when Privacy & Security/Cookies is set
to "Enable cookies for the originating web site only." It works when
set to "Enable all cookies."

Netscape 4.7 does save cookies for my.brandeis.edu and wgbh.org with
"Enable cookies for the originating web site only" set.

Why?

We both do bounce through SSL but cookies also fail on a non-SSL
development port.

Collapse
Posted by Ash Argent-Katwala on

I haven't an OpenACS install to hand, so this may not address your particular problem - but was having some fun this morning with Moz and cookies. It was (silently) refusing to set a cookie if there was a domain specified and it didn't have the requisite two dots (e.g. .foo.com rather than foo.com), although it would happily set a cookie on foo.com so long as it wasn't specified in the header.

Looking at the 'spec' on Netscape's site, it yabbers on about two or three dots and offers some hokey rules for determining what level is safe. The particular example they offer, though ...

A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com"

... is what fails in Moz at present. (This morning's testing was with 0.9.6 on Linux, but I've just tried in 0.9.9 too). For that behaviour reasonably reliably it does work to set it on .acme.com, which does still present the cookies back for the host 'acme.com' too - even though that doesn't tail match the given domain (how true is this in other browsers?). Urgh.