Login should stay in website domain; not working with strict privacy settings

• Oct 30, 2014 - 21:39
S4 - Minor
needs info

Using Firefox I can login to the issue tracker to file a new issue, but when I attempt to login on Safari I stay on the Musescore.com website in my profile.
The logical reason I can think of for this is the improper usage of cookies (i.e. set/get cookies for pages outside of the domain of the page setting the cookies: Safari cookie-setting has proper privacy settings to 'allow from current website only'; Firefox cookie settings have not been customised so it still allows third-party cookies)


Thank you for reporting this issue. Could you tell me which operating system (Mac OS version) you are working on?

Fyi we don't share cookies between the two sites. Instead a single-sign-on solution is used so there are cookies set for both sites. Read more about this system at http://musescore.org/en/node/22832

Issue was encountered with Mac OS X Yosemite (10.10); but is basically OS- and browser-independent. It only depends on the end-users privacy settings (and of course the privacy controls available to a user in a given browser).

The problem is that with this SSO-strategy musescore.org redirects for login to musescore.com. With a strict cookie privacy setting to only allow cookies for the website's domain setting a cookie for musescore.org will fail: The (login) page on musescore.com tries to set a cookie for '3rd party' musescore.org domain.

What if you set the setting for "the website's domain and its subdomains"? Does it still fail then?
I ask cause the cookie set for musescore.com and musescore.org are domain cookies, i.e. .musescore.com and .musescore.org, so it works for subdomains as well.

Fyi we use CAS for the SSO.

I'll have a look into the CAS website myself as well, but the 3rd-party cookie block takes care of subdomains, but musescore.com and musescore.org are not subdomains of eachother.

My guess is that the problem is that currently a CAS login application hosted at musescore.com domain is attempting to set the 'logged in user' cookies for both the musescore.com and the musescore.org domain (for musescore.com this is allowed even when not accepting 3rd party cookies, but for musescore.org the cookie should be set from a musescore.org URL).
For login to the musescore.org domain I would expect it to trigger something along the lines of a redirect to musescore.org with a one-time ticket in the request and musescore.org processing the one-time ticket from the request with the CAS server to validate the login and set a musescore.org cookie)

Status (old) active needs info

I still can't reproduce (Safari 6.1.4 on Macbook 10.8.5) with these settings.