cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Cookie Secure flag

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 18 Feb 2016 09:15:31 +0100 (CET)

On Wed, 17 Feb 2016, Ray Satiro via curl-library wrote:

>> So my question is: is it possible to tell libcurl to ignore the Secure Flag
>> and process the Cookie as a "normal" cookie ?
>
> I don't see that supported and I think it's unlikely it will be.

I agree. In this day and age we have a problem on the general web with cookie
leakage from HTTPS over to HTTP and there are already plans and drafts in the
works for making it less likely to accur in the future. It would feel odd to
then provide an official way for us to enable such a leak.

> You can override the behavior of the cookie parser quick and dirty to
> include secure cookies in a particular host's cookie list even if the
> connection is not secured, but you'll have to edit the source to do it.

Another way to do it would probably be to use curl_easy_getinfo's
CURLINFO_COOKIELIST to extract all the cookies, clear off the secure flags,
flush the entire internal list of cookies and then bring the scrubbed list
back with CURLOPT_COOKIELIST.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-18