Broken HTTPS certificates cookie support

User Help for Seamonkey and Mozilla Suite
Post Reply
voltagain
Posts: 3
Joined: March 28th, 2017, 8:31 am

Broken HTTPS certificates cookie support

Post by voltagain »

When developing a www-service with SSL, cookies are needed. Certificates are not yet ready - CA certified keys do not exist.

Using Opera browser, the browser is able to store the cookie from the site. SeaMonkey does not save the cookie. Neither does Chromium. If the cookie does not have "secure" on, it is still not saved in SeaMonkey. The cookie comes from the server, seen by DragonFly from Chromium and Opera. SeaMonkey and Chromium do not send them to the server and do not save it. Opera saves it and resends it.

* Is the certificate the reason the cookie is not resent from Seamonkey?
* How can I manufacture certificates to use during the development? Is it possible to store the certificate in browser during the development?
* And last but not least, how can I get DragonFly to Seamonkey?

I'm using proxy from Apache httpd to the developed HTTP-server giving the cookie. It is meant that the httpd removes the SSL and still the cookie is in the https-mode (the "secure" and "HttpOnly" are set). Removing "secure" has no effect.

br, Voltagain :-k #-o :?:

P.S.
Where and how to get a commercial CA -key to sign other certificates? The best one is listed (in most browsers). I'm afraid what the cost may be.
voltagain
Posts: 3
Joined: March 28th, 2017, 8:31 am

Solved: Broken HTTPS certificates cookie support

Post by voltagain »

This post may have been in a wrong place. Sorry. The reason was in the cookie format, not in the invalid certificates.

Not working Set-cookie: #1

Set-Cookie: TEST=12341234123412341234123412341234123412341234; Expires=Mon Apr 10 15:50:00 2017; Max-Age=14400 ; Path="/"; Domain="server.mydomain.com"; Secure; HttpOnly

Working Set-cookie: #2

Set-Cookie: TEST=12341234123412341234123412341234123412341234; Expires=Mon Apr 10 15:50:00 2017; Max-Age=14400 ; Path=/; Domain=server.mydomain.com; Secure; HttpOnly

Browser comparison:

Opera 12.16: both #1 and #2
Chromium 54.0: only #2 works
Seamonkey 2.46: only #2 works

Seamonkey could make a difference with Opera and use quotes around the values if they are used from the server. RFC 6265 defines the following syntax:

cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

It looks to me that both Chromium and Seamonkey have not implemented the double quotes value option. Maby this is missing. My program did not work with SeaMonkey.

And sorry about the details. The post should have been sent to a different list. Where to get the certificates to test is still a problem and dragonfly is really helpful in developing applications.

voltagain :wink:
Post Reply