Canonical SSO provider

Can't login to Launchpad without sending referer header

Bug #1198101 reported by Victor Engmark
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Confirmed
Low
Unassigned
Ubuntu Forums
New
Undecided
Unassigned

Bug Description

Trying to log in to https://login.launchpad.net always fails with Firefox (any version) when network.http.sendRefererHeader is set to 0. Error message:

-------------------------------------------------
Your page was stale.

Apologies, the page you came from was a little old. Perhaps you navigated here from a browser window other than the one you used to login. If so, try using the other browser window. Or, try your action again, starting from our home page.
Go to our home page
-------------------------------------------------

Setting network.http.sendRefererHeader to the default value of 2 is a workaround, but is not recommended by for example EFF for privacy reasons.

Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
importance: Undecided → Low
Revision history for this message
Dave Morley (davmor2) wrote :

Currently this is the expected behaviour this may change in the future but possibly not during this release cycle.

Changed in canonical-identity-provider:
status: New → Confirmed
assignee: nobody → Ubuntu One web team (ubuntuone-web)
tags: added: u1-by-user u1-on-production
Revision history for this message
Santosh (santosh.k83) wrote :

Just adding that the same behaviour is experienced when logging in to ubuntuforums.org through the Ubuntu SSO service.

Revision history for this message
John (human395234) wrote :

I believe the duplicate status of this bug is incorrect. The present bug seems to be a complaint about the fact that https://login.launchpad.net requires a referer header to be sent by the browser, or else the login will fail. Bug #1087323 seems to be a complaint about the wording of the failed login page, specifically, that it should say "You need to turn on HTTP Referer headers".

Revision history for this message
Mateusz Jończyk (mat-jonczyk) wrote :

Well, come on, I have to enable referer every time I log in to Launchpad.

Curtis Hovey (sinzui)
Changed in canonical-identity-provider:
assignee: Registry Administrators (registry) → nobody
Revision history for this message
Christian Kujau (christiank) wrote :

http://kb.mozillazine.org/Network.http.sendRefererHeader
> Recommended settings
> Those concerned with privacy can set this to 0, realizing that this may
> adversely affect some sites. Those wanting to ensure compatibility should
> leave it at the default.

Please Ubuntu, do allow logins to Launchpad w/o users having to sacrifice their privacy settings. It's bad enough that HTTP referer exist in the first place, but please do not (ab)use them in your login logic.

Revision history for this message
Richard Voogd (Lisati) (lisati) wrote :

Just a thought. The SSO login system used by the Ubuntu forums bypasses the normal vBulletin login system. It navigates away from the main forum site to grab your login details and then return you to the site when you've successfully logged in. In some situations, the referred information is useful for automatically directing you back to the page you were viewing before you logged in.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.