Details
-
Bug
-
Resolution: Fixed
-
Medium
-
0.6
-
None
-
Windows 2000, IE Vers 6.0, Orion App server, JDK1.4.2
-
true
Description
Using IE6.0 and serph 0.6
I find that the cookie login may not work under certain conditions. I haven't done a detailed analyses of this but observed with what is happening with the parameters I have used. The three characters I have used for cookie encoding is "Trl" with a user name set to "admin". With these the CookieUtils encoding algorithm produced the following :
encodes char a binary value 97 into 125 and 111
encodes char d binary value 100 into 129 and 111
encodes char m binary value 109 into 115 and 111
encodes char i binary value 105 into 118 and 111
encodes char n binary value 110 into 114 and 111
Important point to note is the encoding of the character 'd', this has been encoded into two bytes with values 129 and 111.
Since cookies are transfered as HTTP Headers they are confined to the US-ASCII character set (0-127), it's a good chance that 129 will either will be lost or mangeled. To prove this I traced the recovered cookie and I found the following :
The following table shows each digit as it is recovered by adding to it the appropriate offset and required left shift. Finally the recovered digits are combined to give the reconstituted value in decimal and ascii.
col_1 - encoded cookie digit
col_2 - encoded cookie digit - offset1
col_3 - encoded cookie digit
col_4 - encoded cookie digit -offset2 <<4
col_5 - reconstituted byte in decimal
col_6 - reconstituted byte in ascii
col_1 col_2 col_3 col_4 col_5 col_6
} 11 o 59 97 a
? 65419 o 65467 -32 ?
s 1 o 49 109 m
v 4 o 52 105 i
r 0 o 48 110 n
This shows that the character 'd' was not recovered correctly and therefore the user will not be logged in via a cookie.
I feel the solution to this is to Base64 encode the "endcoded username/password" to avoid binary values which may not be handled correctly within a cookie.
Attachments
Issue Links
- is related to
-
SER-94 Autologin cookie should be encoded with real encryption
- RESOLVED