OpenID login fails for non-beta LP users using lynx and possibly other browsers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Won't Fix
|
High
|
Unassigned |
Bug Description
Launchpad has two versions of the site: the production version, and "edge," the version used by Launchpad beta testers (see https:/
The Set-Cookie header for sessions that Launchpad sends on both edge.launchpad.net and launchpad.net uses the domain of .launchpad.net. Mainstream browsers handle this as desired in both cases: the cookie is accepted for all domains within launchpad.net, such as launchpad.net and bugs.launchpad.net and code.launchpad.net.
This is not correct domain matching according to a strict reading of RFC 2109 (http://
"""
Host A's name domain-matches host B's if
* both host names are IP addresses and their host name strings match
exactly; or
* both host names are FQDN strings and their host name strings match
exactly; or
* A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B', and B' is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.)
"""
This states that, for instance, "bugs.launchpad
Therefore, for any browser that follows this strict interpretation, the Set-Cookie header is ignored if you are on the domain "launchpad.net". This breaks our session machinery for users on this domain, which in turn breaks our authentication machinery.
While mainstream browsers allow "launchpad.net" to match ".launchpad.net", Lynx follows the strict interpretation. Others may as well. Here is the original description of this bug, as an example of the breakage.
"""
When using the lynx browser to connect to launchpad, when trying to login using my openID, it appears to succeed, but when I am redirected back to the original page I was looking at, I do not appear to be logged in. Specifically the top of the page still has the login link, rather than showing my username and having the logout button. When trying to upload an attachment to a bug, it redirects you to the login page, which then seems to say you are logged in, and redirects you back to the bug page, which redirects you back, in a loop.
"""
This also affects people trying to use launchpadlib and authenticating with Lynx (see bug 535456).
I verified that this was the problem by doing a temporary hack on a local branch of Launchpad that eliminated the preceding dot in the domain cookie. This "fixed" the problem.
AFAICT, Lynx is supposed to warn when it ignores cookies. It is also supposed to honor the COOKIE_
In any case, I believe that actively supporting at least one text-based browser is an important goal of Launchpad. I believe that Lynx should be that browser. In this case, fixing the problem also will arguably make us more correct in terms of RFC 2109.
Changed in launchpad-foundations: | |
status: | Incomplete → Triaged |
importance: | Undecided → Medium |
summary: |
- OpenID login fails/loops with lynx browser + OpenID login fails for non-beta LP users using lynx and possibly other + browsers |
description: | updated |
Changed in launchpad-foundations: | |
importance: | Medium → High |
Changed in launchpad-foundations: | |
assignee: | nobody → Benji York (benji) |
I see this happen in any browser for edge users. I do think this is the case here.