cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: Cookie paths when the query includes /

From: John P. McCaskey <mailbox_at_johnmccaskey.com>
Date: Mon, 21 Sep 2009 19:47:41 -0700

On Mon, 21 Sep 2009, Daniel wrote:

>> It's 7.19.5.

> On what OS?

Windows XP

>> Can I send you the details by private email?

> Please keep this discussion on the list. Edit out all the sensitive bits
before you post it here.

OK, I've edited a capture of a successful session, taken with ieHTTPHeaders.

(1) Out goes a query that looks like this. Note the slashes (and the *) in
the query string.

POST /abc/doit.jsp?parm1=this*that/other/thing&parm2=foobar HTTP/1.1
Accept: image/gif, image/jpeg, [and others here,] */*
Referer: http://www.website.com/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
NovaPacs Viewer 6.6.246.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30)
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: www.site.com
Content-Length: 90
Connection: Keep-Alive
Cache-Control: no-cache

userid=myname&password=mypassword

(2) The web server requests a redirect, adding one more parameter to the
query string, and setting some cookies, including one called testcookie. But
testcookie has no path, so the client will need to calculate the default.

HTTP/1.1 302 Moved Temporarily
Date: Tue, 22 Sep 2009 01:54:26 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8a
Cache-Control: no-cache="Set-Cookie"
Location:
https://www.site.com/abc/doit.jsp?setCookie=1&parm1=this*that/other/thing&pa
rm2=foobar
Set-Cookie: JSESSIONID=12345; path=/
Set-Cookie: testcookie=1
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: cookie1=5;Version=1;path=/

(3) When this is received, IE sets testcookie=1 and the cookie's path to
/abc/. So when the redirection is followed, testcookie gets sent.

GET /abc/doit.jsp?setCookie=1&parm1=this*that/other/thing&parm2=foobar
HTTP/1.1
Accept: image/gif, image/jpeg, [and others here,] */*
Referer: http://www.website.com/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
NovaPacs Viewer 6.6.246.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30)
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: www.site.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: testcookie=1; JSESSIONID=12345; cookie1=5

But when I try (1) with this CURL command line,

curl -k -L -o output.html -c cookies.txt -b cookies.txt
"https://www.site.com/abc/doit.jsp?parm1=this*that/other/thing&parm2=foobar"

I get back (2) OK, but testcookie's path in cookies.txt gets set to
/abc/doit.jsp?setCookie=1&parm1=this*that/other/ instead of just /abc/. So
(3) goes back to the server without testcookie and the server thinks my
"browser" has cookies disabled. When I URL-encode the slashes, CURL sets the
path correctly, but then the script on the server (something I, of course,
can't control) misbehaves.

I hope my editing preserved the essentials. Advice appreciated.

John

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-09-22