views:

392

answers:

3

There is a banking site that I cannot login to unless I allow all cookies to be accepted. I am using Firefox 3.0 and I have set it to not accept cookies except from the defined list (Tools - Options - Privacy - Cookies - Exceptions). I've added all the sites captured by Live HTTP Headers to the whitelist, but the login is still disabled. I've tried to enable all cookies and login, then look at the cookies I got - didn't see any new site to be added to the Exceptions list. Obviously the site is somehow checking if I'm accepting an arbitrary cookie. How can I find out what site needs to be whitelisted? Or do I not understand something about cookies, and accepting all cookies is somehow not the same as having all the right sites whitelisted?

The site is https://www.citizensbank.ca/ and it shows the login fields only if any cookies are allowed, otherwise it shows the message "To login to online banking, you must have JavaScript and cookies enabled."

A: 

you should add their registered base domain, so www.citizensbank.ca should work. You could also try to just allow cookies while logging on, and hitting ctl+shift+del when you're done.

ryansstack
As I mentioned, I added citizensbank.ca and two other sites reported by Live HTTP Headers, and it doesn't work. Thanks for your other suggestion, but my goal is not "login to the site no matter what",or "clear all the cookies".
nameanyone
+1  A: 

I'd get myself another machine (or a VMWare image), delete all cookies, allow all cookies from all sites, then go to your site and log in (which sounds similar to what you've already tried).

Then, after your banking session is finished (or during, if they create a short-lived cookie just for testing you have them enabled), have a look at your cookie jar to see what the bank added. That should tell you the domains you need to add to your real machine.

If that doesn't work, contact the bank and explain your issues. They'll either tell you which ones you need to allow or they'll tell you to allow them all. If the latter, you need to decide if they're still worth keeping as your bank.

Alternatively, you can either:

  • use that VM you set up as a sandbox for accessing the bank if you don't want all cookies appearing on your main box.
  • set up a script to delete all non-whitelisted cookies after FF shuts down.
  • stop worrying about cookies altogether and just allow them (I don't think I've ever heard of cookies being used as an attack vector).

If you'd like, send me your account details (user/password) and I'll see if I can debug it from here :-) Just kidding (in case it wasn't immediately obvious).

Update:

Your bank has a particularly nefarious way of checking requirements. They check to see if you're accepting ALL cookies, something they have no business doing at all. They should just see if they can create a cookie and read it back, which would make them compatible with cookie managers.

The code they have is:

function testCookie() {
    if (typeof navigator.cookieEnabled !== "undefined") {
        return !!navigator.cookieEnabled;
    } else{
        document.cookie="testcookie";
        return document.cookie.indexOf("testcookie")!=-1;
    }
}
if(!testCookie()){
    var browserWarningString = '';
    browserWarningString += '<div class="warning">';
    browserWarningString += '<p>To login to online banking, you must have
        JavaScript and cookies enabled.</p>';
    browserWarningString += '</div>\n';
    document.getElementById("loginAuth").innerHTML = browserWarningString;
}

It's that first bit of testCookie(), the return !!navigator.cookieEnabled bit which is problematic. No amount of whitelisting URLs is going to help you here since that would only be checked once the global cookieEnabled is set to true (which it isn't for you, and rightly so).

Ideally, you'd just be able to replace that testCookie() function in the HTML that comes down.

I've found a similar site that talks about the same problem from a different bank (I guess banks are where all the brain-dead Javascript kiddies end up :-) here, along with two proposed solutions.

The first was to install GreaseMonkey and use this script here. Obviously this would need to be changed for your bank (URLs, function name and so on).

The last post on that first link above (at the moment, look for "afternoonnap, February 15th, 2009, 10:10 am" post) also shows how to achieve the same result using NoScript. This involves replacing the cookieEnabled script (for that specific page) with a more rational one, although I'd probably just opt for replacing it with "return true" and hang the consequences :-).

Hope that helps somewhat.

For completeness (in case the links ever disappear), I'll include the two scripts here. The GreaseMonkey one boils down to:

// ==UserScript==
// @name          TD Canada Trust EasyWeb Repair
// @namespace     tag:GossamerGremlin,2007-04-28:Repair
// @description   Repair TD Canada Trust EasyWeb website.
// @include       https://easyweb*.tdcanadatrust.com/*
// @exclude       
// ==/UserScript==

var scriptName = "TD Canada Trust EasyWeb Repair";

// The above @include pattern is overbroad because it exposes this
// user script to potential attacks from URLs such as this:
//   https://easyweb.evil.example.com/not.tdcanadatrust.com/bad.html
// The following check eliminates such possibilities:
if (location.href.match(/^https:\/\/easyweb\d\d[a-z].tdcanadatrust.com\//))
{
    // Visibly mark page to remind that this script is in use.
    if (document.body)
    {
        host = document.location.host;
        dummyDiv = document.createElement('div');
        dummyDiv.innerHTML = '<div><span style="color: red">Greased by: ' +
                             scriptName + ' (' + host + ')</span></div>';
        document.body.insertBefore(dummyDiv.firstChild,
            document.body.firstChild);
    }
    unsafeWindow.navigator.__defineGetter__("cookieEnabled",
        canStoreCookieFixed);
}

 

// canStoreCookieFixed()
//   TD's version relies on navigator.cookieEnabled, which is not set
//   if customer has cookie manager, even when cookies are allowed for
//   EasyWeb. The only reliable check for enabled cookies is to actually
//   test if session cookie settings succeed, as done in this function
//   replacement.
function canStoreCookieFixed()
{
    var testSessionCookie ="testSessionCookie=Enabled";
    document.cookie = testSessionCookie;
    return (document.cookie.indexOf(testSessionCookie) != -1);
}

The NoScript version boils down to "add the following to about:config":

noscript.surrogate.nce.sources=@easyweb*.tdcanadatrust.com

noscript.surrogate.nce.replacement=navigator.__defineGetter__(
    "cookieEnabled",function(){
        var ed=new Date;
        ed.setTime(0);
        var tc="__noscriptTestCookie_"+Math.round((Math.random()*99999))
            .toString(16)+"=1";
        document.cookie=tc;
        var ok=document.cookie.indexOf(tc)>-1;
        document.cookie=tc+";expires="+ed.toGMTString();
        return ok
    }
);

Test and update:

When I install noscript and turn off cookies altogether in FF3, then add the following about:config items, the login prompt shows up for your bank, so I think this is probably the way to go:

noscript.surrogate.nce.sources     = *.citizensbank.ca
noscript.surrogate.nce.replacement =
    navigator.__defineGetter__("cookieEnabled",function(){return true});

I suggest you do this and test it to make sure you still have all your functionality.

paxdiablo
I did exactly that - deleted all cookies, allowed all cookies, refreshed the page (Ctrl-F5) - the login fields appeared (this can be repeated by anyone, no need to know my account details - you'll either see the fields for username/password, or you'll see the message asking to enable the cookies). Looked in the cookie jar, added all domains to the whitelist, turned off accepting all cookies, refreshed the page - the fields disappeared.Contacted the bank, was told to enable all cookies. I'm not about to close my account over the cookies issue. I'm just pissed off and I want to have it my way.
nameanyone
I've tried the methods I know, the methods that allowed me so far to maintain the cookies whitelist, and they don't work this time.So I decided to ask if there is a better way of finding out what sites I need to whitelist. Or if someone would tell me that there is a way for the site to check if I am allowing all cookies, and no whitelist can fool such a site.Really, that's all I'm asking. I would like to know how to find out definitively what cookies I have to allow. This is not about some dumb "power user" who knows too much for his own good. Please don't suggest any more workarounds.
nameanyone
@nameanyone, as I mention in my update, a whitelist will not help with your banks JS code. They check to ensure the global cookieEnabled flag is set *before* trying to create a cookie. Brain-dead IMNSHO but there you have it. The only fix possible is to replace their code with something more, uh, intelligent :-) That means fiddling with the definition of cookieEnabled for their particular site (as per the links I've provided).
paxdiablo
@Pax, thanks for the update, I'm glad I didn't spill more frustration over your initial answer. Now I see your 35K reputation is well deserved. Not sure why you recommend the NoScript solution over the Greasemonkey, maybe you thought it would be easier to follow? Since I already had Greasemonkey installed, I've adapted the TD Greasemonkey script and it worked! All I had to do is change the @include and remove the outer if (checking location.href) since the new @include doesn't contain any wildcards.
nameanyone
Just that the code looked shorter and I'm inherently lazy :-). Glad to help.
paxdiablo
A: 

Another option - use a different browser to start the process. For example, if you normally use Firefox, try Safari, or Opera, or Chrome, or MSIE instead. Don't import any cookies from your normal browser. Then examine what it takes to get the web site to work.

Jonathan Leffler