Login requires cookies, but does not say so

I had the same problem. After trying several things inclusive changing my password, because I could have it forgotten, I just thought, well, as a last resort before giving up and never coming back, why not try to enable cookies.
Not to inform the user that the page needs cookies is extremely unintuitive and may people turn away.

I just received an email from a user not able to log in to Launchpad. It turned out that the user had been blocking cookies from Launchpad in his FF configuration! If Launchpad had specifically said that this is why he wasn't being logged in, instead of returning him to the same page without logging him in, this problem could have been avoided.

Changing importance from Wishlist to Medium because users affected by this bug can't login and don't have a clue why.

Same here. Plus I'd like to make a stronger case for making cookies unnecessary. The OP won't argue against that, but I will.

To do authentication on a system like Launchpad, we have the following options:

 - HTTP Basic authentication
 - HTTP Digest authentication
 - Session tokens embedded in URLs
 - Session tokens in a cookie

Basic authentication is unacceptable as it is ugly and provides no mechanism for clearing authentication credentials (people need to be able to log out). It is also sniffable if we want to have parts of Launchpad served over HTTP to improve perceived performance and cachability.

Digest authentication is not widely supported. And is also probably ugly.

Session tokens embedded in URLs obfuscates our URL space which we have tried to keep clean from day one. The session tokens also leak when people post links into Launchpad.

This leaves us with needing to settle on cookie authentication, for pretty much the same reasons as almost every other web based system out there has settled on cookie authentication. This will not change until better alternatives exist as standards and are widely supported. There will be much rejoicing when this happens.

You could (optionally) support logging in via SSL client certificates (or rather public keys since there's no need to rely on a CA).

Same there, no commentary about needing cookie, even if i do with link of mail in case of "lost password".

Had the same problem here, and finally realised rejected cookies were to blame.

I would much prefer it if we showed this warning only to people who we know don't have cookies turned on (or who are blocking cookies from launchpad.net). 99% of people will have cookies turned on, and notifying them would be needlessly distracting.

Took me 10 minutes to work out why I couldn't log in - I thought it was another problem.

However I believe Launchpad users are much more likely to disable cookies than the average surfer... I couldn't find solid statistics for average users - sites mostly said between 95% and 99% disable cookies e.g. http://www.uniqpaid.com/advertisers/faq.shtml says their research shows "nearly 97% of users have cookies enabled"

Re: Stuart Bishop

<script language="JavaScript">
if(!document.cookie) {
  document.write("<P><div align=\"center\">Warning: You don't seem to have cookies enabled. Without cookies, you will not be able to login. <A HREF=\"http://www.mozilla.org\">Some web browsers<\/A> allow cookies to be managed on a per-site basis.<\/div>");
}
</script>

The above Javascript segment warns users if cookies are not enabled.
You would need to either:
 a) serve a standard cookie for the login page and put the code into the login page.
 b) put the code into a page that is shown after login.
Would be a good idea to add a <noscript>Cookies must be enabed blah blah</noscript> for non-javascript users (I haven't checked whether you require javascript or not).

From:
http://lists.kuro5hin.org/pipermail/scoop-dev/2002-October/000300.html

You can try it out by using
javascript:alert(document.cookie)
in address bar after logging in.

I'm using Launchpad with w3m which has no JavaScript support at all. So no, Launchpad currently does not require JavaScript (at least for the features I'm using most of the time). The suggested noscript section will suffice, though.

More problematic, the cookie is sent with an expiry time of RIGHT NOW.
That may work in some browsers, but others will discard it before it gets used.
For example, a few minutes ago the cookie received was:

Set-Cookie: ... ; expires=Sun, 26 Apr 2009 07:34:38 GMT; Path=/; secure;

this was at 07:34:38 GMT, so the cookie expired immediately and never used.

This has the result that some browsers can't log in, but no error message is produced.

My clock is set correctly or at least it is less than 0.004 seconds off from the various servers listed under uk.pool.ntp.org - so that isn't the problem.

The date you quote is in 2009, one year from today. So, the cookie expires in one year.

I could not login at all without cookies enabled for launchpad.net.

So until the cookie-check is implemented,
(which could have happend at least since Morris Johns' suggestion from 2008-04-23),
I suggest to just add a hint on the login page like: "cookies are required to login."