Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Cookie Secure flag

From: Pierre Brico <pierre.brico_at_gmail.com>
Date: Thu, 18 Feb 2016 16:38:48 +0100

Hi Daniel and Ray,

Thanks for your reply and suggestions.

I understand why you don't want to implement such kind of feature in
libcurl but I don't like the proposed solutions:
Ray's one: customized modifications in libcurl in not a good idea
Daniel's one: the processing to generate the Cookies list (strings list and
not objects list), then parse it, then remove the "secure" attribute then
give it back to curl seems a waste of CPU. But no modification is necessary
which is a good thing.

My next question is: is it possible to intercept the HTTP header (probably
with callback function) to remove the "secure" flag BEFORE libcurl process
it?

Thanks again for this wonderful library and your help !
Pierre

On Thu, Feb 18, 2016 at 9:15 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Wed, 17 Feb 2016, Ray Satiro via curl-library wrote:
>
> So my question is: is it possible to tell libcurl to ignore the Secure
>>> Flag and process the Cookie as a "normal" cookie ?
>>>
>>
>> I don't see that supported and I think it's unlikely it will be.
>>
>
> I agree. In this day and age we have a problem on the general web with
> cookie leakage from HTTPS over to HTTP and there are already plans and
> drafts in the works for making it less likely to accur in the future. It
> would feel odd to then provide an official way for us to enable such a leak.
>
> You can override the behavior of the cookie parser quick and dirty to
>> include secure cookies in a particular host's cookie list even if the
>> connection is not secured, but you'll have to edit the source to do it.
>>
>
> Another way to do it would probably be to use curl_easy_getinfo's
> CURLINFO_COOKIELIST to extract all the cookies, clear off the secure flags,
> flush the entire internal list of cookies and then bring the scrubbed list
> back with CURLOPT_COOKIELIST.
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-18