[COOKIES STILL NOT FIXED] forcing https broken in ff2
[COOKIES STILL NOT FIXED] forcing https broken in ff2
xp x86 sp3
ff 2.0.0.20
NoScript 1.9.9.3
No activity at all when http url is requested
ff 2.0.0.20
NoScript 1.9.9.3
No activity at all when http url is requested
Last edited by Tom T. on Thu Jun 04, 2009 8:10 am, edited 2 times in total.
Reason: change title to alert + bump post coming
Reason: change title to alert + bump post coming
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Re: forcing https broken in ff2
url example?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forcing https broken in ff2
Confirmed, probably a regression from "Explicit error message for HTTP->HTTPS->HTTP redirect loops" or "Images not being shown unless already cached when forced to HTTPS".
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: forcing https broken in ff2
Wow, yeah, only a blank page. Never noticed it when the regression was introduced, because, IMHO, Best Practice is to bookmark the *secure* login pages of your banks, etc., and not the unsecure main page. Or if you go to the unsecure page just to get generic info, don't login from there.
Still nice to have the Force with us, so appreciate the bug fix when able, Giorgio.
Still nice to have the Force with us, so appreciate the bug fix when able, Giorgio.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forcing https broken in ff2
Fixed in latest development build, 1.9.3.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: [FIXED] forcing https broken in ff2
Confirmed that it fixes the page and forces secure connection; however, cookies are not being enforced.
Reproduce: put *wachovia.com in both HTPPS Force lists. Go to http://www.wachovia.com. Page secures properly, but some cookies are still marked "Send for any type of connection". TIA
Reproduce: put *wachovia.com in both HTPPS Force lists. Go to http://www.wachovia.com. Page secures properly, but some cookies are still marked "Send for any type of connection". TIA
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: [NOT TOTALLY FIXED] forcing https broken in ff2
@Tom T.:
did you try to clear your previously set cookies first?
did you try to clear your previously set cookies first?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: [NOT TOTALLY FIXED] forcing https broken in ff2
No permanent cookies are stored from anywhere -- ever. All private data is dumped at each close of the browser. So there would have been no cookies. Also, it is the first place I went after installing the dev build.
My understanding was that with a "clean" browser opened (empty cache, cookies, etc.) Force would force the securing of the cookies. Is that not correct?
My understanding was that with a "clean" browser opened (empty cache, cookies, etc.) Force would force the securing of the cookies. Is that not correct?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: [NOT TOTALLY FIXED] forcing https broken in ff2
I gave it a shot (not that I really know what I'm looking at) but it appears cookies were HTTPS (per Error Console).
SeaMonkey 1.1.17.
What link did you click to generate the cookie?
(When I looked, only at certain points was a cookie generated. Those that I saw were https.)
SeaMonkey 1.1.17.
Which cookies?some cookies are still marked "Send for any type of connection"
What link did you click to generate the cookie?
(When I looked, only at certain points was a cookie generated. Those that I saw were https.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090525 SeaMonkey/2.0b1pre
Re: [NOT TOTALLY FIXED] forcing https broken in ff2
I wasn't looking in EC, I was looking at the cookies themselves in Fx > Tools > Options > Privacy > Show Cookiestherube wrote:I gave it a shot (not that I really know what I'm looking at) but it appears cookies were HTTPS (per Error Console).
The one in blue at the post in question, where I raised the issue.What link did you click to generate the cookie?
originalReferrerWhich cookies?
CookiesAreEnabled
s_sess
s_pers
The only one that *was* tagged "Send for secure connection only" was "TLTSID"
This was a one-step process, or one-point process. There was only one point at which cookies were generated. I just reproduced it by clicking my own link in the previous post, having the page load securely as it was forced to, and reading all of the above cookies. No other "points" at which to generate.(When I looked, only at certain points was a cookie generated. Those that I saw were https.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
BUMP -- No Change Since Last Post
Just went to http://www.wachovia.com. No change since last post. Is it enough to secure only the TLTSID cookie? My understanding was that "force secure cookies" would require *all* cookies from said site to be marked "send for encrypted session only". If I am mistaken, please let me know, so that the concern is ended. Otherwise, the "force secure cookie" feature is not functioning. ... I just reproduced this issue at a different financial institution. Home page is properly converted to https, but many unsecured cookies and only one secured. Please advise. TIA.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forcing https broken in ff2
Sorry for the late answer, but just to be sure everybody understands the feature: secure cookie forcing/management forces only cookies which have been set through an HTTPS connection to be "secure".
Of course cookies which have been set through plain HTTP, if sensitive, are already compromised downstream and there's nothing you can do about it aside forcing HTTPS for the site.
So if you've got a site which is mixed HTTP/HTTPS, you can still have cookies which are not forced and are the ones which have been set through HTTP, because forcing them is pointless and very likely to cause incompatibilities.
Of course cookies which have been set through plain HTTP, if sensitive, are already compromised downstream and there's nothing you can do about it aside forcing HTTPS for the site.
So if you've got a site which is mixed HTTP/HTTPS, you can still have cookies which are not forced and are the ones which have been set through HTTP, because forcing them is pointless and very likely to cause incompatibilities.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Re: forcing https broken in ff2
Please ensure that *.wachovia.com is in HTTPS Behavior and Cookies, then visit the *secure* login site,Giorgio Maone wrote:... secure cookie forcing/management forces only cookies which have been set through an HTTPS connection to be "secure".
https://onlineservices.wachovia.com/aut ... returnHome
*not* the insecure home page, http://www.wachovia.com.
Note that you still receive one insecure cookie from wachovia.com, s_sess.
I am hoping that the secure cookie, TLTSID, is the one that a thief would need to hijack the session, and that the insecure one is only generic information, such as OS, browser, etc. In which case, there is no cause for concern. But it is still the case (F2, reminder) that an insecure cookie made it through an HTTPS connection, even with Force Secure in place.
After clearing the above cookies, etc. with HTTPS Force in place, please visit the home page, http://www.wachovia.com. It correctly sets an HTTPS connection, as forced. Yet this time, three insecure cookies are set, despite there never having been an HTTP connection.Of course cookies which have been set through plain HTTP, if sensitive, are already compromised downstream and there's nothing you can do about it aside forcing HTTPS for the site.
Again, one hopes that these insecure cookies, OriginalReferrer, CookiesAreEnabled, and s_sess, contain nothing sensitive. (RefControl takes care of my referrers now, thank you very kindly, Sir! ) And that the secure cookie received upon login, TLTSID, contains the goodies. So forcing HTTPS for the site, although successful in setting the HTTPS connection, still does not force all secure cookies. Please tell me that this is nothing to worry about. Thanks.
Is this different in F3?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: [COOKIES STILL NOT FIXED] forcing https broken in ff2
SeaMonkey 1.1.17 & SeaMonkey 2
Add *.wachovia.com to Secure Cookies.
I get two cookies ...
If I refresh the page, then i get one more ....
Remove all cookies.
Add *.wachovia.com to Force HTTPS.
I get two cookies ...
If I refresh the page, then i get one more ....
Add *.wachovia.com to Secure Cookies.
I get two cookies ...
Code: Select all
unsecured - id @ doubleclick.net
unsecured - TLTSID @ wachovia.com
Code: Select all
secured - AuthSvsSessionID @ wachovia.com
Add *.wachovia.com to Force HTTPS.
I get two cookies ...
Code: Select all
unsecured - id @ doubleclick.net
secured - TLTSID @ wachovia.com
Code: Select all
secured - AuthSvsSessionID @ wachovia.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090617 SeaMonkey/2.0b1pre
Re: [COOKIES STILL NOT FIXED] forcing https broken in ff2
At which site: the home page, which must be forced secure, or the secure login site (the link that exceeds the width of the page in my post above)?
Do you have any third-party cookie managers, and does Seamonkey's default cookie manager work identically to Fx's?
O/T: You don't mind the cookies from DoubleClick? They've been sued - successfully - for invasion of privacy, data misuse, etc. But as you've said elsewhere, if you're happy, I'm happy.
Do you have any third-party cookie managers, and does Seamonkey's default cookie manager work identically to Fx's?
O/T: You don't mind the cookies from DoubleClick? They've been sued - successfully - for invasion of privacy, data misuse, etc. But as you've said elsewhere, if you're happy, I'm happy.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard