How to figure out what site to add to cookie whitelist?

Question

There is a banking site that I cannot login to unless I allow all cookies to be accepted. I am using Firefox 3.0 and I have set it to not accept cookies except from the defined list (Tools - Options - Privacy - Cookies - Exceptions). I've added all the sites captured by Live HTTP Headers to the whitelist, but the login is still disabled. I've tried to enable all cookies and login, then look at the cookies I got - didn't see any new site to be added to the Exceptions list. Obviously the site is somehow checking if I'm accepting an arbitrary cookie. How can I find out what site needs to be whitelisted? Or do I not understand something about cookies, and accepting all cookies is somehow not the same as having all the right sites whitelisted?

The site is https://www.citizensbank.ca/ and it shows the login fields only if any cookies are allowed, otherwise it shows the message "To login to online banking, you must have JavaScript and cookies enabled."

Answer 1

you should add their registered base domain, so www.citizensbank.ca should work. You could also try to just allow cookies while logging on, and hitting ctl+shift+del when you're done.

Answer 2

I'd get myself another machine (or a VMWare image), delete all cookies, allow all cookies from all sites, then go to your site and log in (which sounds similar to what you've already tried).

Then, after your banking session is finished (or during, if they create a short-lived cookie just for testing you have them enabled), have a look at your cookie jar to see what the bank added. That should tell you the domains you need to add to your real machine.

If that doesn't work, contact the bank and explain your issues. They'll either tell you which ones you need to allow or they'll tell you to allow them all. If the latter, you need to decide if they're still worth keeping as your bank.

Alternatively, you can either:

• use that VM you set up as a sandbox for accessing the bank if you don't want all cookies appearing on your main box.
• set up a script to delete all non-whitelisted cookies after FF shuts down.
• stop worrying about cookies altogether and just allow them (I don't think I've ever heard of cookies being used as an attack vector).

If you'd like, send me your account details (user/password) and I'll see if I can debug it from here :-) Just kidding (in case it wasn't immediately obvious).

Update:

Your bank has a particularly nefarious way of checking requirements. They check to see if you're accepting ALL cookies, something they have no business doing at all. They should just see if they can create a cookie and read it back, which would make them compatible with cookie managers.

The code they have is:

function testCookie() {
    if (typeof navigator.cookieEnabled !== "undefined") {
        return !!navigator.cookieEnabled;
    } else{
        document.cookie="testcookie";
        return document.cookie.indexOf("testcookie")!=-1;
    }
}
if(!testCookie()){
    var browserWarningString = '';
    browserWarningString += '<div class="warning">';
    browserWarningString += '<p>To login to online banking, you must have
        JavaScript and cookies enabled.</p>';
    browserWarningString += '</div>\n';
    document.getElementById("loginAuth").innerHTML = browserWarningString;
}

It's that first bit of testCookie(), the return !!navigator.cookieEnabled bit which is problematic. No amount of whitelisting URLs is going to help you here since that would only be checked once the global cookieEnabled is set to true (which it isn't for you, and rightly so).

Ideally, you'd just be able to replace that testCookie() function in the HTML that comes down.

I've found a similar site that talks about the same problem from a different bank (I guess banks are where all the brain-dead Javascript kiddies end up :-) here, along with two proposed solutions.

The first was to install GreaseMonkey and use this script here. Obviously this would need to be changed for your bank (URLs, function name and so on).

The last post on that first link above (at the moment, look for "afternoonnap, February 15th, 2009, 10:10 am" post) also shows how to achieve the same result using NoScript. This involves replacing the cookieEnabled script (for that specific page) with a more rational one, although I'd probably just opt for replacing it with "return true" and hang the consequences :-).

Hope that helps somewhat.

For completeness (in case the links ever disappear), I'll include the two scripts here. The GreaseMonkey one boils down to:

// ==UserScript==
// @name          TD Canada Trust EasyWeb Repair
// @namespace     tag:GossamerGremlin,2007-04-28:Repair
// @description   Repair TD Canada Trust EasyWeb website.
// @include       https://easyweb*.tdcanadatrust.com/*
// @exclude       
// ==/UserScript==

var scriptName = "TD Canada Trust EasyWeb Repair";

// The above @include pattern is overbroad because it exposes this
// user script to potential attacks from URLs such as this:
//   https://easyweb.evil.example.com/not.tdcanadatrust.com/bad.html
// The following check eliminates such possibilities:
if (location.href.match(/^https:\/\/easyweb\d\d[a-z].tdcanadatrust.com\//))
{
    // Visibly mark page to remind that this script is in use.
    if (document.body)
    {
        host = document.location.host;
        dummyDiv = document.createElement('div');
        dummyDiv.innerHTML = '<div><span style="color: red">Greased by: ' +
                             scriptName + ' (' + host + ')</span></div>';
        document.body.insertBefore(dummyDiv.firstChild,
            document.body.firstChild);
    }
    unsafeWindow.navigator.__defineGetter__("cookieEnabled",
        canStoreCookieFixed);
}

 

// canStoreCookieFixed()
//   TD's version relies on navigator.cookieEnabled, which is not set
//   if customer has cookie manager, even when cookies are allowed for
//   EasyWeb. The only reliable check for enabled cookies is to actually
//   test if session cookie settings succeed, as done in this function
//   replacement.
function canStoreCookieFixed()
{
    var testSessionCookie ="testSessionCookie=Enabled";
    document.cookie = testSessionCookie;
    return (document.cookie.indexOf(testSessionCookie) != -1);
}

The NoScript version boils down to "add the following to about:config":

noscript.surrogate.nce.sources=@easyweb*.tdcanadatrust.com

noscript.surrogate.nce.replacement=navigator.__defineGetter__(
    "cookieEnabled",function(){
        var ed=new Date;
        ed.setTime(0);
        var tc="__noscriptTestCookie_"+Math.round((Math.random()*99999))
            .toString(16)+"=1";
        document.cookie=tc;
        var ok=document.cookie.indexOf(tc)>-1;
        document.cookie=tc+";expires="+ed.toGMTString();
        return ok
    }
);

Test and update:

When I install noscript and turn off cookies altogether in FF3, then add the following about:config items, the login prompt shows up for your bank, so I think this is probably the way to go:

noscript.surrogate.nce.sources     = *.citizensbank.ca
noscript.surrogate.nce.replacement =
    navigator.__defineGetter__("cookieEnabled",function(){return true});

I suggest you do this and test it to make sure you still have all your functionality.

Answer 3

Another option - use a different browser to start the process. For example, if you normally use Firefox, try Safari, or Opera, or Chrome, or MSIE instead. Don't import any cookies from your normal browser. Then examine what it takes to get the web site to work.