[tor-bugs] #14059 [Tor Browser]: Revision of existing double key cookie logic to meet requirements

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 27 12:26:03 UTC 2015


#14059: Revision of existing double key cookie logic to meet requirements
-----------------------------+----------------------------------
     Reporter:  michael      |      Owner:  michael
         Type:  defect       |     Status:  needs_information
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  TorBrowserTeam201501
Actual Points:               |  Parent ID:  #3246
       Points:               |
-----------------------------+----------------------------------

Comment (by gk):

 Replying to [comment:7 michael]:
 > R&D is paused, and can procede as soon as questions are answered and
 consensus on requirements is reached.

 No sure where to put my testing feedback. Given that the patch I tested is
 attached in this bug I put my comments here as well. I tested with the
 latest nightly + msvb14058-283f7c6.patch on top. In a clean en-US bundle I
 did

 1) enable third party cookies in Mozilla's privacy settings (the patch
 does not contain a special pref I need to toggle as far as I can see)
 2) install the Live HTTP Headers to log the traffic
 3) restarted and opened the Live HTTP Headers console to log traffic
 4) go to http://fundingpoint.net and saved all traffic logs
 5) opened in a different tab
 https://people.torproject.org/~gk/misc/fundingpoint_iframe.html and saved
 all traffic.
 6) searched for cookies in the logs.

 I get the following in 4)
 {{{
 http://www.fundingpoint.net/

 GET / HTTP/1.1
 Host: www.fundingpoint.net
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
 Firefox/31.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive

 HTTP/1.1 200 OK
 Date: Tue, 27 Jan 2015 11:47:45 GMT
 Server: Apache/2.2.15 (CentOS)
 X-Powered-By: PHP/5.4.23
 Set-Cookie: PHPSESSID=sihiadjk37v8bmvboep6d0gj56; path=/
 Set-Cookie:
 www_pyrocms=%2FjTZdv72Vxmghi%2F9HPFS1DfgA7%2Fysq5K%2BIfGLyW8TburMfS%2FMxGRVxUtGuwpBFilYQ5Yqj6bDRCj6XQV885b%2BkzcBmWsIqk%2FCyBrqARe2y4ytZ5UKGRdzPrZziPRjXEXZlEjzGA%2B%2FvVjljWB3x%2Ft9P76AxFt8Fm9fVmgbXlhO5b3gZgdGajvY59YyO%2FPr2d1dpARNwA5Xqly%2FEFaJk78mIHRiWIlGFmwtGMRc9eQDpvsW9WEmlwbGRwi9cHZV4o6X1PcHK4LIFJZ5IaFGShYacuwGC4Mxqc%2BH8AXBVl0gL47yeAx3E5bUGzjkohzwbJE48EsccGxVMQgPBbffxskc%2FeCNTHh0RmJnOoD%2FmivHKWJ08tU1HFQ1aqz%2FyskJARW;
 path=/; domain=www.fundingpoint.net
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 }}}
 and I see these too (among others) in 5)
 {{{
 http://www.fundingpoint.net/

 GET / HTTP/1.1
 Host: www.fundingpoint.net
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
 Firefox/31.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=sihiadjk37v8bmvboep6d0gj56;
 www_pyrocms=%2FjTZdv72Vxmghi%2F9HPFS1DfgA7%2Fysq5K%2BIfGLyW8TburMfS%2FMxGRVxUtGuwpBFilYQ5Yqj6bDRCj6XQV885b%2BkzcBmWsIqk%2FCyBrqARe2y4ytZ5UKGRdzPrZziPRjXEXZlEjzGA%2B%2FvVjljWB3x%2Ft9P76AxFt8Fm9fVmgbXlhO5b3gZgdGajvY59YyO%2FPr2d1dpARNwA5Xqly%2FEFaJk78mIHRiWIlGFmwtGMRc9eQDpvsW9WEmlwbGRwi9cHZV4o6X1PcHK4LIFJZ5IaFGShYacuwGC4Mxqc%2BH8AXBVl0gL47yeAx3E5bUGzjkohzwbJE48EsccGxVMQgPBbffxskc%2FeCNTHh0RmJnOoD%2FmivHKWJ08tU1HFQ1aqz%2FyskJARW;
 _ga=GA1.2.28869478.1422359271; GetResponseComWebform4642401=WebformCookie
 Connection: keep-alive
 }}}
 But that is not expected to happen as the URL bar domain in 5) is
 different from the one in 4). It seems to me the patch is not working as
 expected or am I missing something here?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14059#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list