Deleting cookies no longer works #3445
Comments
|
What libcurl version is this? It sounds like you might want a52e46f, which is in 7.63.0... |
|
This is master branch |
|
(@danielgustafsson mentioned on IRC he'll take a look at this issue tomorrow) |
|
In 7.63 there's 1e9abfe by @jeroen which deletes the cookie but since then there's 7a09b52 by @danielgustafsson, the only possibility I see is a mismatch on deletion this probably did it |
|
I suspect this happens because the cookie update isn't using
I can't find this strict behavior mandated in draft-ietf-httpbis-cookie-alone though. @danielgustafsson, what do you think? |
|
On 8 Jan 2019, at 22:40, Daniel Stenberg ***@***.***> wrote:
I suspect this happens because the cookie update isn't using secure but the creation of it does:
• The two cookies are created like this over a HTTPS connection:
Set-Cookie: foo=123; Secure; Path=/
Set-Cookie: bar=ftw; Secure; Path=/
• The update that wants to expire the cookie is set without secure even though still done over HTTPS:
Set-Cookie: foo=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
I can't find this strict behavior mandated in draft-ietf-httpbis-cookie-alone though. @danielgustafsson, what do you think?
Sorry for being slow to address this, I’ve had little to no time for community work this week.
I do believe your analysis is correct, since the expiration is performed over HTTPS is should be allowed. My patch is overzealous here AFAICT.
|
|
Sorry forget what I said a minute ago, deleted that message. I can confirm that the cookie does get deleted when running the same test in with The new behavior is that the expired is not listed at all anymore. So to summarize: if we set and then delete a cookie, and then check the Old output (either HTTP and HTTPS)The expired cookie is included with Current output with HTTPS (definitely a bug)The expired cookie is not deleted at all: Current output with HTTP (maybe a bug?)The expired cookie is entirely omitted from |
|
Didn't you do that in 1e9abfe |
|
Me? I only reported a condition where curl was sending expired cookies if you would do a subsequent request within 1sec after deletion: #3351. I think the above issue(s) are orthogonal to that. |
|
Oops I glanced and thought you authored that commit but now I see it was @bagder. Anyway I thought that was the intention. |
Added test 1562 to verify. Reported-by: Jeroen Ooms Fixes #3445
|
Thanks for fixing! Are you also interested in the other (minor) problem? That the behavior of |
|
Is that really a problem? curl does not attempt to keep expired cookies around as they would never get sent anymore so they are (rather aggressively) removed. I don't think we've ever claimed to keep them around - I don't think this breaks any documented behavior. We've always removed expired cookies, its just that recently we've started to do it slightly more often. |
|
No it's not a problem, just wanted to confirm this is intentional. Then I will update my tests accordingly. |
After fixing #3351 my unit tests were passing, but now they broke again.
What it does
Basically the unit test lets the server set a cookie, then deletes it, and then lists cookies:
https://eu.httpbin.org/cookies/set?foo=123&bar=ftwwhich sets cookiesfooandbarhttps://eu.httpbin.org/cookies/delete?foowhich deletes cookiefoo.curl_easy_getinfo(handle, CURLINFO_COOKIELIST, &cookies))Previous output
Up till version 7.62,
CURLINFO_COOKIELISTwould contain both cookies, with the expired cookie in the list with the timestamp at which it expired, and value as NULL like this:Current output with HTTPS (definitely a bug)
The expired cookie is not deleted at all:
New output output with HTTP (maybe a bug?)
The expired cookie is entirely omitted from
CURLINFO_COOKIELIST:Full log from R
Sorry for the R code :-)
The text was updated successfully, but these errors were encountered: