2014-11-25 16:43 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0012552mantisbtauthenticationpublic2011-04-05 14:23
Reporterdregad 
Assigned Todhx 
PrioritylowSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Versiongit trunk 
Target Version1.2.5Fixed in Version1.2.5 
Summary0012552: Use of a period "." in $g_cookie_prefix results in login error
DescriptionIf the cookie prefix string contains a ".", then the following (misleading) error message is displayed on the login page:

    Your browser either does not know how to handle cookies, or refuses to handle them.

In gpc_set_cookie, $p_name is correctly set to "TEST.1", but in $_COOKIE, the stored value (array index) is "TEST_1_STRING_COOKIE"

The easy and obvious workaround is to not use a "." in the prefix string, but this should at least be documented in config_defaults_inc.php.
Steps To Reproduce1. Define $g_cookie_prefix = "TEST.1" in config_inc.php
2. Try to login
Additional InformationNote: the period "." is a valid char cookie name, per RFC 2965 and 2616 which defines the valid chars for cookies as
       token = 1*<any CHAR except CTLs or separators>
       separators = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT
       CTL = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

Someone else seems to have noticed this behavior of PHP (see user note under setcookie documentation http://php.net/manual/en/function.setcookie.php#99845 [^]).

Tagspatch
Attached Files
  • patch file icon 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch (804 bytes) 2010-11-23 10:13 - 
    From 341991eee9b32bf671047b8c33b01c8569d63d2b Mon Sep 17 00:00:00 2001
    From: Damien Regad <damien.regad@merckserono.net>
    Date: Tue, 23 Nov 2010 16:10:11 +0100
    Subject: [PATCH] Fix #12552: Period should not be used in g_cookie_prefix
    
    Modified comment in config_defaults_inc.php to document this
    ---
     config_defaults_inc.php |    2 +-
     1 files changed, 1 insertions(+), 1 deletions(-)
    
    diff --git a/config_defaults_inc.php b/config_defaults_inc.php
    index b3f8bd8..41341d7 100644
    --- a/config_defaults_inc.php
    +++ b/config_defaults_inc.php
    @@ -2764,7 +2764,7 @@
     
     	/**
     	 * --- cookie prefix ---------------
    -	 * set this to a unique identifier.  No spaces.
    +	 * set this to a unique identifier.  No spaces or periods.
     	 * @global string $g_cookie_prefix
     	 */
     	$g_cookie_prefix		= 'MANTIS';
    -- 
    1.7.1
    
    

- Relationships
+ Relationships

-  Notes
User avatar

~0027459

dregad (developer)

I wonder if this behavior could be caused by PHP handling of external variables (http://us2.php.net/variables.external [^]) which according to the note is converting spaces and dots to underscores.

But I'm not sure if it's the case, because Mantis behavior is not fully consistent, even though the error message on login page is the same:
$g_cookie_prefix = "TEST 2"
In gpc_set_cookie, $p_name is set to "TEST 2_STRING_COOKIE", but there is no value stored in $_COOKIE
User avatar

~0027697

dhx (reporter)

Committed, thanks Damien.

I also updated the docbook documentation to reflect this changed comment.
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2010-11-23 09:54 dregad New Issue
2010-11-23 10:09 dregad Note Added: 0027459
2010-11-23 10:13 dregad File Added: 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch
2010-11-23 10:14 dregad Tag Attached: patch
2010-11-30 09:02 dhx Status new => acknowledged
2010-11-30 09:03 dhx Target Version => 1.2.4
2010-12-14 06:09 dhx Assigned To => dhx
2010-12-14 06:09 dhx Status acknowledged => assigned
2010-12-14 21:05 jreese Target Version 1.2.4 => 1.2.5
2010-12-25 03:56 dhx Changeset attached => MantisBT master e45cfb8d
2010-12-25 03:56 dhx Changeset attached => MantisBT master-1.2.x e28dae6a
2010-12-25 03:56 dhx Resolution open => fixed
2010-12-25 03:56 dhx Fixed in Version => 1.2.5
2010-12-25 03:56 dhx Note Added: 0027697
2010-12-25 03:56 dhx Status assigned => resolved
2011-04-05 14:23 jreese Status resolved => closed
+ Issue History