Bug report: cookies and redirection
Date: Wed, 9 Apr 2008 16:56:45 -0500
Here's one problem I saw with libcurl 7.17.1 (hadn't retried with
7.18.1 but didn't see anything in change notes that seemed like it
would affect this). I used both CURLOPT_COOKIE and
CURLOPT_FOLLOWLOCATION for a handle. In watching the HTTP traffic,
the cookie I'd set for the original URL also got sent to the
redirected URL. For example, if http://foo.org/video redirected to
http://contentcache.org/video, the cookie would be sent to both even
though it's only valid for the original domain.
This seems like a security hole -- I'd expect the cookie to be cleared
if a redirection happened and it now refers to a different hostname.
Ideally, I'd like the ability to alter the cookie for the new URL, but
there's no "I redirected, change things now" callback. There is a
header callback which exposes the Location header, so is it safe to
call curl_easy_setopt(CURLOPT_COOKIE) then to affect what gets sent to
the next connection?
Received on 2008-04-10