[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #16 from Brad Jorsch bjor...@wikimedia.org --- (In reply to comment #15) This seems related to bug 46903. Bug 46901 is probably a better link. Once the SUL2 stuff mentioned there is deployed (I believe the plan is to start testing for deployment in the next week or two), this should be fixed. FWIW, code to fix bug 46903 is already merged, but not yet deployed or enabled. bug 46904 is another part of it, which is also merged but not yet deployed or enabled. Essential to enabling both of those is bug 46902, which is already completed. And then there's bug 46905, which has code currently in review, which allows user scripts doing CORS requests to work around the third-party cookie issue. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #17 from MZMcBride b...@mzmcbride.com --- Thank you very much for the info in comment 15 and for cross-referencing those bugs. (It's quite a neat set of bug numbers!) I'm also very glad to hear this bug may soon be fixed. That's great! -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #15 from MZMcBride b...@mzmcbride.com --- This seems related to bug 46903. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736
--- Comment #14 from Katherine Ahern k...@emergentdatasystems.com 2009-12-01
21:58:07 UTC ---
I was curious about whether using a redirect to set a cookie and then serve an
image would work, so I implemented Platonides' suggestion, and it totally does.
The redirect page sets the cookie. In FF3.5 third party cookies are disabled by
default, so when I visited:
www.networkedtraveler.org/dev/thirdPartyCookies.php
I got the no cookie set image. When I changed my browser settings to accept
third party cookies I got the other image. Here are the scripts:
www.emergentdatasystems.com/redirect.php
?php
//set cookie
setcookie(testCookie, set it);
//redirect
header(Location: http://www.emergentdatasystems.com/image.php;);
?
www.emergentdatasystems.com/image.php
?php
if (isset($_COOKIE['testCookie'])) {
readfile(images.jpg);
} else {
readfile(images-1.jpg);
}
?
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #13 from Platonides platoni...@gmail.com 2009-11-30 16:56:47 UTC --- No we couldn't, because loading the image sets the cookie generated by PHP. This cookie is unique for each login, so you can't cache it in Squid. You would set the cookie when handing the redirect. The redirect would lead to a simple script like: ?php if (isset($_COOKIE['SUL'])) readfile(loggedin.png); else readfile(enablecookies.png); with appropiate headers so squids cache both variants based on cookie existance. AFAIK they can do that. It may not provide any benefit, though. I don't think there's any bottleneck on sending the login images. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736
Katherine Ahern k...@emergentdatasystems.com changed:
What|Removed |Added
CC||k...@emergentdatasystems.com
--- Comment #8 from Katherine Ahern k...@emergentdatasystems.com 2009-11-29
20:47:36 UTC ---
I agree with Platonides that it seems to me when we get the images on the other
sites, we don’t check whether a login cookie was successfully set. I don't
think we need to do any redirects, though.
An idea I had is when we’re getting the images from the other servers (to
tell a user he/she is logged in on other sites), we need to check if the cookie
is properly set, too:
In SpecialAutoLogin.php on the other sites, when we check this:
$data = $wgMemc-get( $key );
We should also test the cookie:
if($_COOKIE[centralAuthSession] == $sessionID){ //or however you check for
logged-in-ness with the cookie
$cookieSet = true;
} else {
$cookieSet = false;
}
Then you change this line:
if( !$data ) {
to
if( !$data || !$cookieSet ) {
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #9 from Platonides platoni...@gmail.com 2009-11-29 23:45:07 UTC --- (In reply to comment #8) I agree with Platonides that it seems to me when we get the images on the other sites, we don’t check whether a login cookie was successfully set. I don't think we need to do any redirects, though. An idea I had is when we’re getting the images from the other servers (to tell a user he/she is logged in on other sites), we need to check if the cookie is properly set, too: You can't. The images are not to tell that you are logged in. They are to log you. The cookie is set when delivering you the image. Thus the need for the intermediate redirect. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 --- Comment #10 from Katherine Ahern k...@emergentdatasystems.com 2009-11-30 01:10:01 UTC --- Ah, gotcha. So the intermediate redirect sets the cookie, then the subsequent page tests and delivers either the image or nothing or a you aren't necessarily logged in to other wikimedia sites message? Sorry if you have to speak sort of slowly to me, I'm new here. Would a redirect cause too much of a load increase? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 14736] CentralAuth should gracefully handle browsers rejecting third party cookies
https://bugzilla.wikimedia.org/show_bug.cgi?id=14736 Derk-Jan Hartman hart...@videolan.org changed: What|Removed |Added CC||hart...@videolan.org --- Comment #7 from Derk-Jan Hartman hart...@videolan.org 2009-08-18 13:20:53 UTC --- This problem would mostly be avoided if bug 20298 is implemented, though a proper error might still be useful of course. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
