BUG: Using EP on same domain, but over different protocols causes "Warning: it appears that your browser does not have cookies enabled. "

[tiblu]

Reproduce

• Access EP instance over HTTPS
• Access EP instance over HTTP on the same domain

Result

• Alert:

Warning: it appears that your browser does not have cookies enabled. EtherPad uses cookies to keep track of unique users for the purpose of putting a quota on the number of active users. Using EtherPad without cookies may fill up your server's user quota faster than expected.

• Etherpad renders fine, but prefs are lost.

Expected

• No error

Root cause

• When visiting over HTTPS prefs=..;secure cookie is set.
• When visiting over HTTP, EP tries to write prefs= NON secure cookie, but fails cause browser denies overwriting secure cookie with the same name. Thus error is displayed.

Introduced by

• 06ff023

Solution

I know this probably does not bother a lot of people as HTTPS should be the standard protocol and never use over HTTP. For us it only causes problems in testing environments. If we talk about solutions only idea I have is:

• To have differently named cookies for HTTPS and HTTP.
  • HTTPS - prefsSecure (or whatever)
  • HTTP - prefs

The shortcoming of this solution is that prefs are different for HTTP and HTTPS depending which User opens. But taking into account, that prefs are lost anyway for this bug, it's OK.

I will PR this if people find this solution OK.

[lpagliari]

@Gared what do you think?

[tiblu]

@lpagliari @Gared Forgot to mention that I only tested this on Chrome. Not sure what other browsers think of trying to write non-secure cookie with the same name on the same domain.

[lpagliari]

@tiblu I'm not sure if @Gared will have time to take a look on this for now, but for me it makes sense to fix as you said. Could you implement the fix for this, please? Thanks!

[Gared]

@tiblu Sorry for the late response.
I think this makes sense to fix this issue as you described. It's the best solution for this problem right now.

[tiblu]

@Gared @lpagliari Created a PR (#3187), but Travis seems to hang due to some kind of build script issue.

https://travis-ci.org/ether/etherpad-lite/builds/229899045?utm_source=github_status&utm_medium=notification

$ tests/frontend/travis/sauce_tunnel.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6033k  100 6033k    0     0  7430k      0 --:--:-- --:--:-- --:--:-- 8023k
expected argument for flag `-u, --user', but got option `--key'

[lpagliari]

@tiblu Sauce Labs has a restriction to run tests for PRs, that's probably the reason you're getting this error:

Note that due to security restrictions, the Sauce Labs addon is not available on pull request builds unless you use the JWT Addon.

We still need to implement the change to use JWT, this is not done yet.