Bug 215475

Summary: pxt-session-cookie is set to expire in 2043
Product: [Retired] Red Hat Network Reporter: Josh Larios <jdlarios>
Component: RHN/Web SiteAssignee: Sebastian Skracic <sskracic>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Network Quality Assurance <rhn-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: rhn415CC: ggainey, rhn-bugs, vambati
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: US=3391
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-13 16:05:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 616792    

Description Josh Larios 2006-11-14 09:06:35 UTC
Description of problem:

I can use wget and lynx to log into RHN and retrieve
https://rhn.redhat.com/rhn/YourRhn.do, but not
https://rhn.redhat.com/network/software/download_isos.pxt

I have traced this to an inability of lynx and wget to store cookies which
expire after Tue, 19-Jan-2038 03:14:07 GMT, aka gmtime(2**31-1). 

For some reason, the pxt-session-cookie cookie is set to expire well beyond that
date. In my test just now, it was set to expire on Sun, 27-Sep-2043 17:03:58 GMT. 

While this isn't necessarily a bug with RHN, exactly, it's the first time I've
seen a cookie set to expire beyond 2038. And given that it claims to be a
session cookie, which I'd expect to have a shorter lifetime than 36 years, it
seems odd.

Version-Release number of selected component (if applicable):

Red Hat Network release 4.1.5, as reported by rhn.redhat.com.

How reproducible:

Log into https://rhn.redhat.com/ with the LiveHTTPHeaders firefox extension
turned on and examine the Set-Cookie headers sent by the server.

Steps to Reproduce:
1. Download, install and enable LiveHTTPHeaders from
http://livehttpheaders.mozdev.org/
2. Log into https://rhn.redhat.com/rhn/YourRhn.do
3. Examine the Set-Cookie headers sent by the server.
  
Actual results:

An expiration date past 2038:

Set-Cookie: pxt-session-cookie=3013414990x86e8a634f140eb23457c66bde1907af5; Doma
in=rhn.redhat.com; Expires=Sun, 27-Sep-2043 17:03:58 GMT; Path=/; Secure

Expected results:

A more reasonable expiration date, such as this one:

Set-Cookie: rh_user=uwjdlarios|Joshua|customer|; Domain=.redhat.com; Expires=Wed
, 14-Nov-2007 08:01:59 GMT; Path=/

Additional info:

To reproduce using wget:

wget \
 -O hidden.txt \
 --keep-session-cookies \
 --save-cookies cookies.txt \
 https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F%2Frhn.redh
at.com%2Frhn%2FYourRhn.do

hidden=`grep _flowExecutionKey hidden.txt | perl -pe 's/.*value="([^"]+)".*/\1/'`

wget -S -dv \
 --post-data="username=[YOUR RHN USERNAME]&password=[YOUR RHN
PASSWORD]&_flowId=login-flow&_flowExecutionKey=$hidden&_eventId_submit=Log+In" \
 --keep-session-cookies \
 --load-cookies cookies.txt \
 --save-cookies cookies.txt \
 --referer="https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F
%2Frhn.redhat.com%2Frhn%2FYourRhn.do" \
https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F%2Frhn.redha
t.com%2Frhn%2FYourRhn.do

Verify that some cookies such as rh_sso, rh_user and rh_shared_auth have been
saved in cookies.txt, but pxt-session-cookie has not.

Comment 1 Josh Larios 2006-11-14 09:09:42 UTC
Nuts. Clearly some long lines were cut and wrapped inappropriately. It should be
clear which they are, though.

Comment 2 Red Hat Bugzilla 2007-04-12 01:43:31 UTC
User bnackash's account has been closed

Comment 5 Sebastian Skracic 2010-07-26 11:05:59 UTC
Fixed in 1f808c008457ffebd592c78e7cda86bd73bdbc85.

Comment 6 Grant Gainey 2010-07-26 22:00:47 UTC
Verified in WEBDEV

Comment 7 venkat 2010-08-27 20:06:53 UTC
verified in QA.