[COOKIES STILL NOT FIXED] forcing https broken in ff2

[al_9x]

xp x86 sp3
ff 2.0.0.20
NoScript 1.9.9.3

No activity at all when http url is requested

[Tom T.]

url example?

[Giorgio Maone]

Confirmed, probably a regression from "Explicit error message for HTTP->HTTPS->HTTP redirect loops" or "Images not being shown unless already cached when forced to HTTPS".

[Tom T.]

Wow, yeah, only a blank page. Never noticed it when the regression was introduced, because, IMHO, Best Practice is to bookmark the *secure* login pages of your banks, etc., and not the unsecure main page. Or if you go to the unsecure page just to get generic info, don't login from there.

Still nice to have the Force with us, so appreciate the bug fix when able, Giorgio.

[Giorgio Maone]

Fixed in latest development build, 1.9.3.5

[Tom T.]

Confirmed that it fixes the page and forces secure connection; however, cookies are not being enforced.
Reproduce: put *wachovia.com in both HTPPS Force lists. Go to http://www.wachovia.com. Page secures properly, but some cookies are still marked "Send for any type of connection". TIA

[Giorgio Maone]

@Tom T.:
did you try to clear your previously set cookies first?

[Tom T.]

No permanent cookies are stored from anywhere -- ever. All private data is dumped at each close of the browser. So there would have been no cookies. Also, it is the first place I went after installing the dev build.
My understanding was that with a "clean" browser opened (empty cache, cookies, etc.) Force would force the securing of the cookies. Is that not correct?

[therube]

I gave it a shot (not that I really know what I'm looking at) but it appears cookies were HTTPS (per Error Console).

SeaMonkey 1.1.17.

some cookies are still marked "Send for any type of connection"

Which cookies?
What link did you click to generate the cookie?

(When I looked, only at certain points was a cookie generated. Those that I saw were https.)

[Tom T.]

I gave it a shot (not that I really know what I'm looking at) but it appears cookies were HTTPS (per Error Console).

I wasn't looking in EC, I was looking at the cookies themselves in Fx > Tools > Options > Privacy > Show Cookies

What link did you click to generate the cookie?

The one in blue at the post in question, where I raised the issue.

Which cookies?

originalReferrer
CookiesAreEnabled
s_sess
s_pers

The only one that *was* tagged "Send for secure connection only" was "TLTSID"

(When I looked, only at certain points was a cookie generated. Those that I saw were https.)

This was a one-step process, or one-point process. There was only one point at which cookies were generated. I just reproduced it by clicking my own link in the previous post, having the page load securely as it was forced to, and reading all of the above cookies. No other "points" at which to generate.

[Tom T.]

Just went to http://www.wachovia.com. No change since last post. Is it enough to secure only the TLTSID cookie? My understanding was that "force secure cookies" would require *all* cookies from said site to be marked "send for encrypted session only". If I am mistaken, please let me know, so that the concern is ended. Otherwise, the "force secure cookie" feature is not functioning. ... I just reproduced this issue at a different financial institution. Home page is properly converted to https, but many unsecured cookies and only one secured. Please advise. TIA.

[Giorgio Maone]

Sorry for the late answer, but just to be sure everybody understands the feature: secure cookie forcing/management forces only cookies which have been set through an HTTPS connection to be "secure".
Of course cookies which have been set through plain HTTP, if sensitive, are already compromised downstream and there's nothing you can do about it aside forcing HTTPS for the site.
So if you've got a site which is mixed HTTP/HTTPS, you can still have cookies which are not forced and are the ones which have been set through HTTP, because forcing them is pointless and very likely to cause incompatibilities.

[Tom T.]

... secure cookie forcing/management forces only cookies which have been set through an HTTPS connection to be "secure".

Please ensure that *.wachovia.com is in HTTPS Behavior and Cookies, then visit the *secure* login site,
https://onlineservices.wachovia.com/aut ... returnHome
*not* the insecure home page, http://www.wachovia.com.
Note that you still receive one insecure cookie from wachovia.com, s_sess.
I am hoping that the secure cookie, TLTSID, is the one that a thief would need to hijack the session, and that the insecure one is only generic information, such as OS, browser, etc. In which case, there is no cause for concern. But it is still the case (F2, reminder) that an insecure cookie made it through an HTTPS connection, even with Force Secure in place.

Of course cookies which have been set through plain HTTP, if sensitive, are already compromised downstream and there's nothing you can do about it aside forcing HTTPS for the site.

After clearing the above cookies, etc. with HTTPS Force in place, please visit the home page, http://www.wachovia.com. It correctly sets an HTTPS connection, as forced. Yet this time, three insecure cookies are set, despite there never having been an HTTP connection.
Again, one hopes that these insecure cookies, OriginalReferrer, CookiesAreEnabled, and s_sess, contain nothing sensitive. (RefControl takes care of my referrers now, thank you very kindly, Sir! ) And that the secure cookie received upon login, TLTSID, contains the goodies. So forcing HTTPS for the site, although successful in setting the HTTPS connection, still does not force all secure cookies. Please tell me that this is nothing to worry about. Thanks.

Is this different in F3?

[therube]

SeaMonkey 1.1.17 & SeaMonkey 2

Add *.wachovia.com to Secure Cookies.

I get two cookies ...

Code: Select all

unsecured - id @ doubleclick.net
unsecured - TLTSID @ wachovia.com

If I refresh the page, then i get one more ....

Code: Select all

  secured - AuthSvsSessionID @ wachovia.com

Remove all cookies.

Add *.wachovia.com to Force HTTPS.

I get two cookies ...

Code: Select all

unsecured - id @ doubleclick.net
  secured - TLTSID @ wachovia.com

If I refresh the page, then i get one more ....

Code: Select all

  secured - AuthSvsSessionID @ wachovia.com

[Tom T.]

At which site: the home page, which must be forced secure, or the secure login site (the link that exceeds the width of the page in my post above)?
Do you have any third-party cookie managers, and does Seamonkey's default cookie manager work identically to Fx's?
O/T: You don't mind the cookies from DoubleClick? They've been sued - successfully - for invasion of privacy, data misuse, etc. But as you've said elsewhere, if you're happy, I'm happy.