Page MenuHomePhabricator

For version 1.16+:: With Apache 2.2 :: Session Hijacking or Cookie error in IE
Closed, InvalidPublic

Description

Author: awhizle

Description:
Within Apache2 configuration files (mine are /etc/apache2/sites-available/example).

If you use a ServerName value with underscore characters or capitalization you will get one of two errors:

  1. "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again"
  1. ""Login error <wiki name> uses cookies to log in users. You have cookies disabled. Please enable them and try again."

This will occur when trying to login as any user, even with a session.save_path value explicitly set in LocalSetttings.php.

This only occurs in IE 8 and 9 (did not test older versions)

I also tested with Firefox 9.01 and Google Chrome 16.0.912.77, both of these browsers worked with login.


Version: 1.18.x
Severity: normal
OS: Linux

Details

Reference
bz34455

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:18 AM
bzimport set Reference to bz34455.
bzimport added a subscriber: Unknown Object (MLST).

Sounds like a config error; IIRC underscores are forbidden in hostnames, and capitals are just trouble...?

From http://domainkeys.sourceforge.net/underscore.html

Host names are not allowed to have underscores in them. In DNS, host names are
the name fields of A or MX records or the data fields of the SOA and NS
records. Thus, there are many DNS entries that are not hostnames. Underscores
allowed, except in host names."

awhizle wrote:

Regardless the RFC docs, the page loaded correctly and my internal DNS allowed me to add the host with the underscore. Everything worked on the wiki (editing, blocking anonymous edits, ect) except the login section. Bad config or not the error message was not descriptive enough and instead a catchall error message that doesn't even apply to the issue was being used.

Mainframe98 edited subscribers, added: Mainframe98; removed: wikibugs-l-list.

Internet Explorer 8 & 9 are outdated and no longer supported. Technically IE9 still is (T248061), but given that Microsoft has effectively given up on Internet Explorer, this isn't worth persuing.