Bug #2423


Firefox cookie handling bug results in permanent ban

Added by virtulis over 9 years ago. Updated about 9 years ago.

Target version:


I have experienced #2188 today with 1.4.31 with all Firefox users coming from an ad being greeted by "400 Bad Request".

Turns out Google Analytics still sets buggy cookies as this one Firefox (at least 10.0.4) will happily set and send such a cookie, resulting in a permanent ban for the user without any chance to lift it by the webmaster or the unsuspecting user.

Sure, it is a bug in Firefox, and not in lighty, but it's a "feature" of lighty that currently means we'll have to change to something else asap. So please reconsider removing this restriction.

I can't currently test with a later version (a bit busy ;) ), please excuse me if it's already been fixed.

Related issues

Related to Bug #2188: Lighttpd returns 400 Bad requestInvalid2010-04-16Actions
Actions #1

Updated by stbuehler over 9 years ago

  • Status changed from New to Duplicate
  • Target version deleted (1.4.x)
Actions #2

Updated by virtulis over 9 years ago case you were wondering, the old bug can't be reopened because "Author can't be blank".

If you really believe the issue is still "invalid", well, ...

Actions #3

Updated by cicik about 9 years ago

Do you plan to do something about this bug? #2188 can't be reopened because there is problem with the author.

Almost every site has installed google analytics code. This code sets some cookies specific for campaign tracking. This mechanism can be used to set any value for this cookie. Look at this url:

when google analytics is installed on the site it will set cookie with parameters present in this url. Look at the last one. There is special character number 5 which will be saved in the cookie. Next, any requests from this visitor to this domain will end up with 400 Bad request error.

This mechanism may be used to ban the page to it's visitors. Some atacker may share this buggy link with others and the site may be blocked for many many people (!!!).

I think that you shouldn't block the request when cookie contains some control characters. It is completely legal and possible by scripts to save such character in the cookie - so you shouldn't block it.

I had to change the sources of lighttpd and compile it today because some versions of some browsers (ex. IE, Firefox) changed polish specific letter "?" into control character number 5. This character was saved in cookie and website was blocked for many many people. The same mechanism may be used by atackers.

Actions #4

Updated by nitrox about 9 years ago

Just assigned "Anonymouse" to #2188 and hopefully fixed the author problem.


Also available in: Atom