View Issue Details

IDProjectCategoryView StatusLast Update
0012552mantisbtauthenticationpublic2011-04-05 14:23
Reporterdregad 
Assigned Todhx 
PrioritylowSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Versiongit trunk 
Target Version1.2.5Fixed in Version1.2.5 
Summary0012552: Use of a period "." in $g_cookie_prefix results in login error
Description

If the cookie prefix string contains a ., then the following (misleading) error message is displayed on the login page:

Your browser either does not know how to handle cookies, or refuses to handle them.

In gpc_set_cookie, $p_name is correctly set to TEST.1, but in $_COOKIE, the stored value (array index) is TEST_1_STRING_COOKIE

The easy and obvious workaround is to not use a . in the prefix string, but this should at least be documented in config_defaults_inc.php.

Steps To Reproduce
  1. Define $g_cookie_prefix = TEST.1 in config_inc.php
  2. Try to login
Additional Information

Note: the period . is a valid char cookie name, per RFC 2965 and 2616 which defines the valid chars for cookies as
token = 1*<any CHAR except CTLs or separators>
separators = ( | ) | < | > | @
| , | ; | : | \ | <>
| / | [ | ] | ? | =
| { | } | SP | HT
CTL = <any US-ASCII control character
(octets 0 - 31) and DEL (127)>

Someone else seems to have noticed this behavior of PHP (see user note under setcookie documentation http://php.net/manual/en/function.setcookie.php#99845).

Tagspatch

Relationships

Activities

dregad

dregad

2010-11-23 10:09

developer   ~0027459

I wonder if this behavior could be caused by PHP handling of external variables (http://us2.php.net/variables.external) which according to the note is converting spaces and dots to underscores.

But Im not sure if its the case, because Mantis behavior is not fully consistent, even though the error message on login page is the same:
$g_cookie_prefix = TEST 2
In gpc_set_cookie, $p_name is set to TEST 2_STRING_COOKIE, but there is no value stored in $_COOKIE

dregad

dregad

2010-11-23 10:13

developer  

0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch (804 bytes)
From 341991eee9b32bf671047b8c33b01c8569d63d2b Mon Sep 17 00:00:00 2001
From: Damien Regad <damien.regad@merckserono.net>
Date: Tue, 23 Nov 2010 16:10:11 +0100
Subject: [PATCH] Fix #12552: Period should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this
---
 config_defaults_inc.php |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index b3f8bd8..41341d7 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -2764,7 +2764,7 @@
 
 	/**
 	 * --- cookie prefix ---------------
-	 * set this to a unique identifier.  No spaces.
+	 * set this to a unique identifier.  No spaces or periods.
 	 * @global string $g_cookie_prefix
 	 */
 	$g_cookie_prefix		= 'MANTIS';
-- 
1.7.1

dhx

dhx

2010-12-25 03:56

reporter   ~0027697

Committed, thanks Damien.

I also updated the docbook documentation to reflect this changed comment.

Related Changesets

MantisBT: master e45cfb8d

2010-11-23 15:10:11

Damien Regad


Committer: dhx Details Diff
Fix 0012552: Periods should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this. The
administration guide documentation has also been updated.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File

MantisBT: master-1.2.x e28dae6a

2010-11-23 15:10:11

Damien Regad


Committer: dhx Details Diff
Fix 0012552: Periods should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this. The
administration guide documentation has also been updated.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - config_defaults_inc.php Diff File
mod - docbook/adminguide/en/configuration.sgml Diff File

Issue History

Date Modified Username Field Change
2010-11-23 09:54 dregad New Issue
2010-11-23 10:09 dregad Note Added: 0027459
2010-11-23 10:13 dregad File Added: 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch
2010-11-23 10:14 dregad Tag Attached: patch
2010-11-30 09:02 dhx Status new => acknowledged
2010-11-30 09:03 dhx Target Version => 1.2.4
2010-12-14 06:09 dhx Assigned To => dhx
2010-12-14 06:09 dhx Status acknowledged => assigned
2010-12-14 21:05 jreese Target Version 1.2.4 => 1.2.5
2010-12-25 03:56 dhx Changeset attached => MantisBT master e45cfb8d
2010-12-25 03:56 dhx Changeset attached => MantisBT master-1.2.x e28dae6a
2010-12-25 03:56 dhx Resolution open => fixed
2010-12-25 03:56 dhx Fixed in Version => 1.2.5
2010-12-25 03:56 dhx Note Added: 0027697
2010-12-25 03:56 dhx Status assigned => resolved
2011-04-05 14:23 jreese Status resolved => closed