Opened 8 years ago

Closed 8 years ago

#4055 closed defect (fixed)

HTTPS Everywhere breaks LastPass saved login

Reported by: Kaeltis Owned by: pde
Priority: Low Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When HTTPS Everywhere is enabled for LastPass.com, the LastPass plugin will get logged out every time the browser is closed, even if you set LastPass to keep the login between sessions.
After disabling HTTPS Everywhere for LastPass.com the plugin works like supposed.

LastPass.com also automatically forces a HTTPS connection, even without HTTPS Everywhere activated, so the extra rule is not really needed.

Child Tickets

Change History (10)

comment:1 Changed 8 years ago by pde

Priority: normalminor

Kaeltis, can you check two things:

  1. Does LastPass set the secure flag on all of its cookies if you use a fresh browser profile /without/ HTTPS Everywhere installed (or if you clear all your cookies and log in after disabling this ruleset)?
  1. If you remove the "securecookie" line from the LastPass ruleset, does the problem persist?

comment:2 Changed 8 years ago by Kaeltis

  1. It creates the following cookies:

Name: lang
Content: de_DE
Domain: .lastpass.com
Path: /
Secure?: false
Valid for: ~1 year


Name: sessonly
Content: 0
Host: lastpass.com
Path: /
Secure?: true
Valid for: ~1 year


Name: PHPSESSID
Content: (a session id)
Host: lastpass.com
Path: /
Secure?: true
Valid for: ~2 weeks


  1. I have the same problem with the line removed.

comment:4 Changed 8 years ago by pde

This is an instance of a general bug we have with extensions that make HTTP
requests which HTTPS Everywhere tries to rewrite into HTTPS requests:

https://trac.torproject.org/projects/tor/ticket/3190

There are three possible fixes:

  1. We disable the LastPass rule :(
  1. LastPass modifies its code to always use HTTPS, or to be aware of HTTPS Everywhere in the same way that the Request Policy extension did: https://trac.torproject.org/projects/tor/ticket/1574
  1. Mozilla implements an official request rewriting API so that extensions don't have to know about each other.

We can do 1, but perhaps someone should post in that forum to see if LastPass
woudl like to do 2?

comment:6 Changed 8 years ago by pde

Resolution: fixed
Status: newclosed

Disabled in master and 1.0, releases coming at the end of bug squashing day.

comment:7 Changed 8 years ago by pde

Hmmm, that stable release didn't happen promptly. And now, I can't reproduce the problem, perhaps because LastPass has modified their code to always use https?

I'm going to release 1.1 stable with LastPass still enabled. If anyone is still seeing this problem with the latest versions of LastPass, please reopen this bug and I'll disable LastPass for real.

comment:8 Changed 8 years ago by Kaeltis

Resolution: fixed
Status: closedreopened

I still have this problem, running HTTPS-Everywhere 1.1 and LastPass 1.74.0
(even did a complete reinstall of my OS recently)

comment:9 Changed 8 years ago by Bak3d

Login problem still here, using HTTPS-Everywhere 1.1 and LastPass 1.80. Fixed by disabling rule.

LastPass related entries in the Error Console upon launching browser:
0 : namedpipes : lpnp_init : initializing named pipe server
----------
HTTPS Everywhere: Could not check applicable rules for https://lastpass.com/favicon.ico
----------
HTTPS Everywhere: Could not check applicable rules for https://lastpass.com/debug.php
----------
HTTPS Everywhere: Could not check applicable rules for https://lastpass.com/favicon.ico
----------
HTTPS Everywhere: Could not check applicable rules for https://lastpass.com/debug.php
----------
2 : namedpipes : received cmd=pipeinitdone data=<pipeinitdone rc="0"/>
----------
2 : login : Trying to log in offline : obtained key from saved credentials username=*MY-EMAIL-REMOVED*
----------
2 : login : Trying to log in offline : offline before online failed : could not read accounts file

comment:10 Changed 8 years ago by pde

Resolution: fixed
Status: reopenedclosed

The LastPass ruleset was disabled in 1.2.1 and 2.0development.4.

Note: See TracTickets for help on using tickets.