Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Ce sujet de discussion a été archivé. Veuillez poser une nouvelle question si vous avez besoin d’aide.

How to make Firefox accept a third-party cookie used for authentication by a Java web application?

  • 4 réponses
  • 1 a ce problème
  • 13 vues
  • Dernière réponse par cor-el

guyot.o
guyot.o
more options

Hi,

I am a developer currently working on an open-source solution called GeoNetwork (https://github.com/geonetwork/core-geonetwork/). This application has a Java backend that uses a JSESSIONID cookie to track user sessions. One instance of the application can be accessed anonymously here: https://sextant.ifremer.fr/Donnees/Catalogue

The session cookie is set on the first request to the backend with the following parameters:

Domain: "sextant.ifremer.fr" expirationDate: "Session" HostOnly: true HttpOnly: true SameSite: "None" Secure: true

This application theoretically allows login in from a different origin. For example from https://www.milieumarinfrance.fr/Acces-aux-donnees/Catalogue, which under the hood points to the same backend. We noticed recently that when accessing the application from a different origin in Firefox, the network requests aimed at the "sextant.ifremer.fr" host *do not carry any existing session cookie*, thus rendering authenticated access impossible.

The existing session cookie is correctly used when I add an "allow" exception for the sextant.ifremer.fr origin in the cookies settings of Firefox (see attached screenshot in French). So I figure that it's Firefox that decides not to use any existing cookie when on this origin.

Is there any way to indicate to Firefox that this cookie is legitimate and that it is needed for essential functionalities, without relying on the user allowing the cookie explicitly?

Thanks a lot in advance!

Hi, I am a developer currently working on an open-source solution called GeoNetwork (https://github.com/geonetwork/core-geonetwork/). This application has a Java backend that uses a JSESSIONID cookie to track user sessions. One instance of the application can be accessed anonymously here: https://sextant.ifremer.fr/Donnees/Catalogue The session cookie is set on the first request to the backend with the following parameters: Domain: "sextant.ifremer.fr" expirationDate: "Session" HostOnly: true HttpOnly: true SameSite: "None" Secure: true This application theoretically allows login in from a different origin. For example from https://www.milieumarinfrance.fr/Acces-aux-donnees/Catalogue, which under the hood points to the same backend. We noticed recently that when accessing the application from a different origin in Firefox, the network requests aimed at the "sextant.ifremer.fr" host *do not carry any existing session cookie*, thus rendering authenticated access impossible. The existing session cookie is correctly used when I add an "allow" exception for the sextant.ifremer.fr origin in the cookies settings of Firefox (see attached screenshot in French). So I figure that it's Firefox that decides not to use any existing cookie when on this origin. Is there any way to indicate to Firefox that this cookie is legitimate and that it is needed for essential functionalities, without relying on the user allowing the cookie explicitly? Thanks a lot in advance!
Captures d’écran jointes

Toutes les réponses (4)

stygian.shift
stygian.shift
more options

Firefox "cookie Jar" thing has broken a lot of stuff for a lot of people, try turning it off in your settings and see if that fixes it.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Some reading about the new behavior.

guyot.o
guyot.o Auteur de la question
more options

Thanks cor-el, using the FAQ I could confirm that the issue is indeed related to Total Cookie Protection. Disabling it makes the issue go away.

Should I just create an issue on the Mozilla bug tracker and ask them to somehow "approve" the sextant.ifremer.fr origin? Thanks :)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

You can always give this a try and create a bug report to make them aware that there issues with your website and get advice about the best way to proceed. Firefox will notice in some cases that cookies from some from some third-party servers are essential and allow them.