[Webkit-unassigned] [Bug 26193] Incorrect server time invalidates cookies

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 9 09:47:17 PST 2011


https://bugs.webkit.org/show_bug.cgi?id=26193


Alexander Romanovich <alex at sirensclef.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|WebKit Misc.                |Page Loading




--- Comment #1 from Alexander Romanovich <alex at sirensclef.com>  2011-02-09 09:47:17 PST ---
This bug hasn't been evaluated or assigned in the past couple years. I just checked and it seems to still exist. I've got a way to reproduce now (without needing to change the server time of a live server):

1) Take two computers (in my case I just used my desktop Mac and a MacBook).

2) Enable web server on one of them.

3) On the *same* computer with the web server enabled, create the following PHP script:

<?php

if (empty($_GET['test'])) {
    setcookie('test',1,time()+1800);
    die(header('Location: '.$_SERVER['PHP_SELF'].'?test=1'));
}
else echo 'Cookie is '.(empty($_COOKIE['test']) ? 'NOT ' : '').'set.';

?>

This script is designed to set a cookie that expires in 30 minutes, then redirect, then check to see if the cookie still exists or if it has expired immediately.

4) On the *same* computer with the web server enabled and the PHP script created, set the computer's clock back 1 hour.

5) On the *other* computer (without server/script), load the PHP script that was created via http in Safari.

Result:

Safari will say "The cookie is NOT set."

Firefox will say "The cookie IS set."

Is it possible that Firefox is getting the server's reported time, calculating an offset before server time and client time, and then dynamically adjusting the cookie expiration time accordingly? My mind is boggled a little bit.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list