AdguardTeam
Self-destruction of third-party cookies incorrectly destroys first-party cookies
Description
When logging in to Gitea with the "Remember me" checkbox toggled, the session cookie should have a Max-Age of 604800, or 7 days. With AdGuard and "Self-destruction of third-party cookies" enabled, the cookie is limited to 3 days, or the amount set in AdGuard's settings for the aforementioned setting. You can register for a free account on their test instance and check for yourself. I have also experienced this issue in various other websites over time, but only just realized where it was coming from, so this is the first reproducible website I encountered.
Request logs
All request logs are recorded using Firefox's in-built debugger tools.
AdGuard disabled (expected behavior):
set-cookie | gitea_awesome=REDACTED; Path=/; Max-Age=604800; HttpOnly
set-cookie | gitea_incredible=REDACTED; Path=/; Max-Age=604800; HttpOnly
AdGuard enabled:
set-cookie | gitea_awesome=REDACTED; Path=/; HttpOnly; Max-Age=10800; Expires=Sun, 12 Jul 2020 23:05:30 GMT
set-cookie | gitea_incredible=REDACTED; Path=/; HttpOnly; Max-Age=10800; Expires=Sun, 12 Jul 2020 23:05:30 GMT
Environment
- Windows 10 19041.329
- Firefox 78.0.2
- AdGuard 7.4.2
@ViRb3
Something is going on with this website, all others like youtube.com work fine with that Stealth Mode preset. We will take a look at this closer.
My suspicion is that it uses cookies without an explicit domain attribute. Notice for an example:
set-cookie | gitea_awesome=REDACTED; Path=/; Max-Age=604800; HttpOnly
There is no domain attribute that lists where the cookie belongs to. For an example, here is another cookie from a different service which works properly with AdGuard:
set-cookie | authelia_session=REDACTED; expires=Thu, 23 Jul 2020 19:32:28 GMT; domain=REDACTED; path=/; HttpOnly; secure
I do not have the time to verify this at the moment, but would be worth checking.
@ViRb3
Can you check once again with the latest Nightly? I cannot reproduce the issue, first-party cookies are not affected if an associated function is disabled in AdGuard.
@TheHasagi here is a full request/response dump with AdGuard's self destruct disabled (left, Max-Age=31536000), and with self destruct enabled (right, Max-Age=10800): https://www.diffchecker.com/kkdeca4V
Please let me know if I can help any further. Happy to take this conversation to private messages and share more sensitive information.
@ViRb3
To troubleshoot this issue, we need to get the app logs.
Here's what we need you to do:
- Open AdGguard -> Settings (General) -> Logging level -> Debug
- Reproduce the issue (and remember the exact time when it happened).
- AdGguard -> Settings (General)-> Export Log
- Send the archive to
[email protected]and mention this issue number in the subject
I am seeing the same problem with my self-hosted instance of https://miniflux.app/. I can confirm that it is not setting the domain attribute, which does appear to be optional. Note I am running on a subdomain (xyz.example.com) and not the apex domain, so perhaps that's part of this.
I will send debug logs to the above address soon.
Oh! I just realized this is in the for Windows repository. I'm on macOS - is it safe to assume this code is shared between the two?
Just checked if this has somehow been fixed in Safari, but sadly, same issue:
With third-party cookies blocked:
Without third-party cookies blocked:
(All these cookies are first-party)