215475 – pxt-session-cookie is set to expire in 2043

Bug 215475 - pxt-session-cookie is set to expire in 2043

Summary: pxt-session-cookie is set to expire in 2043

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Network
Classification:	Retired
Component:	RHN/Web Site
Sub Component:
Version:	rhn415
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Sebastian Skracic
QA Contact:	Red Hat Network Quality Assurance
Docs Contact:
URL:
Whiteboard:	US=3391
Depends On:
Blocks:	rhn-sprint50
TreeView+	depends on / blocked

Reported:	2006-11-14 09:06 UTC by Josh Larios
Modified:	2010-09-13 16:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-09-13 16:05:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Josh Larios 2006-11-14 09:06:35 UTC

Description of problem:

I can use wget and lynx to log into RHN and retrieve
https://rhn.redhat.com/rhn/YourRhn.do, but not
https://rhn.redhat.com/network/software/download_isos.pxt

I have traced this to an inability of lynx and wget to store cookies which
expire after Tue, 19-Jan-2038 03:14:07 GMT, aka gmtime(2**31-1). 

For some reason, the pxt-session-cookie cookie is set to expire well beyond that
date. In my test just now, it was set to expire on Sun, 27-Sep-2043 17:03:58 GMT. 

While this isn't necessarily a bug with RHN, exactly, it's the first time I've
seen a cookie set to expire beyond 2038. And given that it claims to be a
session cookie, which I'd expect to have a shorter lifetime than 36 years, it
seems odd.

Version-Release number of selected component (if applicable):

Red Hat Network release 4.1.5, as reported by rhn.redhat.com.

How reproducible:

Log into https://rhn.redhat.com/ with the LiveHTTPHeaders firefox extension
turned on and examine the Set-Cookie headers sent by the server.

Steps to Reproduce:
1. Download, install and enable LiveHTTPHeaders from
http://livehttpheaders.mozdev.org/
2. Log into https://rhn.redhat.com/rhn/YourRhn.do
3. Examine the Set-Cookie headers sent by the server.
  
Actual results:

An expiration date past 2038:

Set-Cookie: pxt-session-cookie=3013414990x86e8a634f140eb23457c66bde1907af5; Doma
in=rhn.redhat.com; Expires=Sun, 27-Sep-2043 17:03:58 GMT; Path=/; Secure

Expected results:

A more reasonable expiration date, such as this one:

Set-Cookie: rh_user=uwjdlarios|Joshua|customer|; Domain=.redhat.com; Expires=Wed
, 14-Nov-2007 08:01:59 GMT; Path=/

Additional info:

To reproduce using wget:

wget \
 -O hidden.txt \
 --keep-session-cookies \
 --save-cookies cookies.txt \
 https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F%2Frhn.redh
at.com%2Frhn%2FYourRhn.do

hidden=`grep _flowExecutionKey hidden.txt | perl -pe 's/.*value="([^"]+)".*/\1/'`

wget -S -dv \
 --post-data="username=[YOUR RHN USERNAME]&password=[YOUR RHN
PASSWORD]&_flowId=login-flow&_flowExecutionKey=$hidden&_eventId_submit=Log+In" \
 --keep-session-cookies \
 --load-cookies cookies.txt \
 --save-cookies cookies.txt \
 --referer="https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F
%2Frhn.redhat.com%2Frhn%2FYourRhn.do" \
https://www.redhat.com/wapps/sso/rhn/login.html?redirect=https%3A%2F%2Frhn.redha
t.com%2Frhn%2FYourRhn.do

Verify that some cookies such as rh_sso, rh_user and rh_shared_auth have been
saved in cookies.txt, but pxt-session-cookie has not.

Comment 1 Josh Larios 2006-11-14 09:09:42 UTC

Nuts. Clearly some long lines were cut and wrapped inappropriately. It should be
clear which they are, though.

Comment 2 Red Hat Bugzilla 2007-04-12 01:43:31 UTC

User bnackash's account has been closed

Comment 5 Sebastian Skracic 2010-07-26 11:05:59 UTC

Fixed in 1f808c008457ffebd592c78e7cda86bd73bdbc85.

Comment 6 Grant Gainey 2010-07-26 22:00:47 UTC

Verified in WEBDEV

Comment 7 venkat 2010-08-27 20:06:53 UTC

verified in QA.

Note You need to log in before you can comment on or make changes to this bug.