Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix path and secure flag of cookie_test #27549

Closed
wants to merge 1 commit into from
Closed

Conversation

PVince81
Copy link
Contributor

Fixes #26651

@ogoffart @davivel please test

@PVince81 PVince81 added this to the 10.0 milestone Mar 31, 2017
@PVince81
Copy link
Contributor Author

I baked this cookie taking inspiration from the other cookies in that file, so I think now the path and secure flag should be correct.

cc @phisch @DeepDiver1975 @Peter-Prochaska

@davivel
Copy link

davivel commented Apr 3, 2017

@jesmrec , could you have a look with the mobile apps? Thanks.

@PVince81
Copy link
Contributor Author

PVince81 commented Apr 3, 2017

I suspect that the problem only appears on environments where ownCloud is hosted in a subfolder, like "/owncloud". If it's hosted on the root of the vhost, the path will be correct since it defaults to "/".
That might explain why I never saw this issue on my own server.

@PVince81
Copy link
Contributor Author

PVince81 commented Apr 3, 2017

@guruz

@jesmrec
Copy link

jesmrec commented Apr 4, 2017

@davivel iOS devices send correctly the cookie_test but Android devices does not, using the same server with the current patch and performing the same actions.

CC @PVince81

@guruz
Copy link
Contributor

guruz commented Apr 4, 2017

Tried testing this with the desktop client.
In general I agree with the fix, HOWEVER for me it seems to have no effect.

If you send the cookie only when checking supportsCookies and you call supportsCookies only once from logClientIn then there was no chance to get the cookie even.

I also don't see the desktop client session in index.php/settings/personal?sectionid=security so no token was created.

@guruz
Copy link
Contributor

guruz commented Apr 4, 2017

you need to set the cookie when sending the first 401
but even that won't work for clients like the desktop client that send the password blindly
we wanted to change that in the desktop but then old server versions borked so we never changed it

https://github.com/owncloud/client/blob/c6f4f446192e5f11df80186e391b636471c15984/src/libsync/creds/httpcredentials.cpp#L53

@davivel
Copy link

davivel commented Apr 6, 2017

@davivel iOS devices send correctly the cookie_test but Android devices does not, using the same server with the current patch and performing the same actions.

I'll have a look to the Android app.

@PVince81
Copy link
Contributor Author

PVince81 commented Apr 7, 2017

@guruz indeed, I have the feeling this could never have worked

@PVince81
Copy link
Contributor Author

PVince81 commented Apr 7, 2017

I do wonder how the iOS client works then ? @jesmrec

From the code path it looks like the iOS client would need to login twice, the first login would receive the cookie and the second login will tell the code that cookies work.

Unless maybe the first request receives a 401 with challenge ? But I don't think supportsCookie is reached for a 401.

@jesmrec
Copy link

jesmrec commented Apr 28, 2017

Sorry, i have rechecked this issue. Both mobile clients are not sending the cookie in all requests. The cookie is received in the first OK response (propfind 207), but not resent in all the following requests. Needs to be checked deeply @davivel.

@jesmrec
Copy link

jesmrec commented Apr 28, 2017

Maybe related with #26651 (comment)

  • If the server is in "", the cookie_test does not contain the path:

Set-Cookie: ocfgt15emms5=2hhgs4fc6s0tle7oc48pgq3puf; path=/; secure; HttpOnly
Set-Cookie: cookie_test=test; expires=Fri, 28-Apr-2017 23:04:31 GMT; Max-Age=36000; secure; HttpOnly

the first cookie contains the path, but the second does not.

  • If the server is not in "", the cookie_test contains the path:

Set-Cookie: ocfjcfv3pcvs=i6sboee9j1hnp9uqcser74gfd6; path=/stable91/owncloud; secure; HttpOnly
Set-Cookie: cookie_test=test; expires=Fri, 28-Apr-2017 14:08:52 GMT; Max-Age=3600; path=/stable91/owncloud; secure; httponly

Both cases are tested with patched servers.

@davivel @PVince81

@davivel
Copy link

davivel commented May 2, 2017

@jesmrec , in the second case (server not in root path), are the mobile clients sending cookie_test in all the requests after the first one receiving Set-Cookie: cookie_test=test?

@davivel
Copy link

davivel commented May 2, 2017

@jesmrec , if I recall correctly, in the first case, the requests to Webdav path are sending cookie_test, while the requests to OCS are not sending it, right?

That would be a correct behaviour. If Set-Cookie has no path set, the path of the current request is used by default. In the tested cases, that was the Webdav path, so the app will not send the cookie to OCS path.

The confusing part is that the PR seems to set a path. @PVince81 , is it possible that OC::$WEBROOT is not set the first time that supportsCookie is run if OC is in the root path of the web server?

@guruz
Copy link
Contributor

guruz commented May 3, 2017

@davivel @jesmrec The server is broken anyway because it does not send the cookie at the right place: #27549 (comment)
(Independant of whatever the path is)

@PVince81 PVince81 modified the milestones: 10.0.2, 10.0.1 May 19, 2017
@PVince81 PVince81 modified the milestones: 10.0.2, 10.0.3 May 26, 2017
@PVince81 PVince81 modified the milestones: 10.0.3, 10.0.2 May 26, 2017
@PVince81
Copy link
Contributor Author

PVince81 commented Jul 4, 2017

Cannot work, likely needs a different approach

@PVince81 PVince81 closed this Jul 4, 2017
@PVince81 PVince81 deleted the fix-cookie-test branch July 4, 2017 12:48
@lock
Copy link

lock bot commented Aug 3, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cookie_test path prevents clients to resend
4 participants