X-notifier hijacking cookies from other domains?

Submitted by Moriarty on Sun, 06/02/2013 - 18:52

Forums:

I noticed a lot of cookies suddenly vanishing from firebugs cookie view while testing scripts on a domain. After investigating, I found out that the problem stopped after disabling X-notifier.

After looking in firefox's own cookie panel, and searching for the domain I was setting cookies on, I could see that the cookies I set, had a string appended to the domain in the form of [xn#gmail#MY-EMAIL#2]. I guess that this is the reason they are not showing up in firebugs cookie panel.

It seems like a critical bug!

I will try to see if I can find a solid way to reproduce the problem, and post it.

I am currently using Cyberfox 21 and firebug 1.12.0a7. But I have experienced the problem in other versions of firefox and firebug.

Moriarty

Sun, 06/02/2013 - 19:15

I found this post which seems to be related.

Strange cookies: http://xnotifier.tobwithu.com/dp/node/197

"It is normal. One is for background mail checking. #2 is used for opened tab."

Even if it's normal, it seems be causing some problems. Especially when it is meddling with unrelated cookies (ie cookies having nothing to do with mail accounts). In my case, it seems like it is overwriting the original cookie, when searching in firefox own cookie panel, as the cookie without the appended xn-string doesn't appear. But calling document.cookie in the firebug console in the tab with the domain, I can see the cookie I set in the cookiestring.

Moriarty

Sun, 06/02/2013 - 21:19

It seems I resolved the issue by changing the below hidden option to false:

"extensions.xnotifier.saveCookies : true
save X-notifier's cookies to Firefox's cookie manager"

I don't know what this option does, i.e. what functionality I'm limiting by setting the value to false. But it seems I no longer have issues with cookies not showing up because they are getting the xn-string appended.

tobwithu's picture

tobwithu

Sun, 06/02/2013 - 21:48

extensions.xnotifier.saveCookies
When it is set to 'true', X-notifier's cookies are saved in Firefox's cookie manager.
When it is set to 'false', X-notifier's cookies are not saved. They are on memories while Firefox is running.

 

Moriarty

Sun, 06/02/2013 - 22:53

Thank you for the elaboration. Setting it to false is definitely the way to go then.

... However, it still seems like there is a bug when set to true.

Still, thanks for a great addon.

supercereal's picture

supercereal

Fri, 06/07/2013 - 03:49

Thank you for this, Moriarty and tobwithu. Since I installed X-notifier a few days ago, random domains would 'forget' my credentials, forcing me to login again. I disabled X-notifier when I realized it was causing the problem.

After seeing your thread I did a bit of testing, and found that X-notifier hijacks the cookies related to whatever other site tabs are open at the time I click the X-notifier icon to view my mail. That is, if I have linkedin.com, google.com and tobwithu.com tabs open, then click the X-notifier toolbar icon to view my mail, duplicate cookies will be written for those open tabs:

.mail.yahoo.com
.mail.yahoo.com[xn#yahoo#yourname%40yahoo.com#2]
.linkedin.com
.linkedin.com[xn#yahoo#yourname%40yahoo.com#2]
.google.com
.google.com[xn#yahoo#yourname%40yahoo.com#2]
.xnotifier.tobwithu.com
.xnotifier.tobwithu.com[xn#yahoo#yourname%40yahoo.com#2]

So, for now I have toggled off extensions.xnotifier.saveCookies, and all is well.

I add my thanks too, tobwithu, for such a wonderful extension!

supercereal's picture

supercereal

Fri, 06/07/2013 - 10:17

I spoke too soon.

Though I toggled extensions.xnotifier.saveCookies to false, the problem persists.
Clicking X-notifier causes other open tabs' cookies to not work. Closing then opening Firefox fixes the problem.
I am guessing it is affecting the cookies in memory? 

CFBancroft's picture

CFBancroft

Fri, 06/07/2013 - 11:28

What Benfit saved cookie on 'Firefox's cookie manager'?

 

What Benfit not saved cookie, but 'on memories while Firefox is running'?

 

I would like for you to explain a bit more for X-N user and include me,
So that they will understand what your purpose regard to cookie handles.

Thanks, CFBancroft

 

tobwithu's picture

tobwithu

Sat, 06/08/2013 - 15:58

Saving cookie on 'Firefox's cookie manager
 - When you restart firefox, X-notifier uses those cookies. It means that X-notifier can access webmails quickly without login.

Not saving cookie on 'Firefox's cookie manager
- Prevent cookie related problems with other program.

tobwithu's picture

tobwithu

Sat, 06/08/2013 - 16:01

@Moriarty

I'm not sure what is your problem exactly.
However, it seems that it is related to the session manager in X-notifier.
http://xnotifier.tobwithu.com/dp/node/5

solstyce9's picture

solstyce9

Fri, 12/06/2013 - 01:35

I'm having the same problem, two different computers.  It took a lot of enabling and disabling before I narrowed it down to X-Notifier.

I'm extremely sensitive to cookie misbehavior and was thinking an extension was stealing my authentication cookies.

I'll try disabling this preference to see if it helps, but if not, I'm going to have to uninstall X-notifier.  It's more important that my authentication cookies work correctly than I receive new mail notifications from my webmail accounts.