Page MenuHomePhabricator
Create Task
Maniphest T3471

Be more conservative in overwriting `phcid`
Closed, ResolvedPublic
Actions

Description

@asherkin reports some issues with OAuth and 'state' cookies, which I can only guess might be 'phcid'-ovewrite related.

We can set this cookie to expire when the browser closes and decline to overwrite it with no appreciable effects on security.

Revisions and Commits

rP Phabricator
D8537rP559c0fe88663 Tune cookie behaviors for 'phcid', 'phreg', etc

Event Timeline

epriestley triaged this task as Normal priority.Jul 1 2013, 2:35 PM
epriestley added a project: Auth.
epriestley added subscribers: epriestley, asherkin.
epriestley added a comment.Aug 7 2013, 12:34 PM

Another user with SPOF-O-Matic installed (see also T3117) also hit an issue.

epriestley added a comment.Sep 8 2013, 2:16 PM

"Speed DNS" also apparently causes problems, presumably through a similar mechanism:

https://addons.mozilla.org/en-US/firefox/addon/speed-dns/

gaspaio edited this Maniphest Task.Feb 15 2014, 3:53 PM
epriestley edited this Maniphest Task.Feb 15 2014, 3:54 PM
epriestley added a comment.Feb 25 2014, 6:34 PM

The phcid and phreg, and next cookies should also expire when the browser closes rather than having very long lifetimes.

epriestley changed the visibility from "All Users" to "Public (No Login Required)".Feb 25 2014, 6:34 PM

Oh, that was already in the description:

We can set this cookie to expire when the browser closes...

epriestley edited this Maniphest Task.Mar 14 2014, 7:46 PM
epriestley edited this Maniphest Task.Mar 14 2014, 9:33 PM
epriestley closed this task as Resolved.Mar 14 2014, 9:33 PM

Closed by commit rP559c0fe88663.

Phabricator · Built by Phacility