Bugs item #2544227, was opened at 2009-01-29 01:10
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2544227&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: bad behaviour
>Status: Closed
Resolution: Out of Date
Priority: 5
Private: No
Submitted By: actuator (actuator)
Assigned to: Daniel Stenberg (bagder)
Summary: Old cookie not updated during FOLLOWLOCATION

Initial Comment:
Curl performs a post

Server1 sets a cookie with value=Ax50
Server1 redirects to Server2

Server2 sets an unrelated cookie
Server2 redirects to Server1

Curl sends correct "value=Ax50" cookie
Server1 sets a cookie "value=Bx300"
This cookie should overwrite the original
Both are "secure" cookies

Server1 redirects to Server1 (again)
Curl sends the old "value=Ax50" cookie
This is the problem.

Both cookies end up in the cookiejar/file but the old one is at the top and still used.

It would take time to configure a server or two to set cookies during redirects so I haven't bothered to find the most simple case of this occurring. It may be a simple cookie overwrite problem. Hopefully someone can experiment or scan through the source.

This was with Windows PHP 5.

CURLOPT_FOLLOWLOCATION, 1
CURLOPT_MAXREDIRS, 8
CURLOPT_RETURNTRANSFER, 1
CURLOPT_COOKIEFILE, samepath
CURLOPT_COOKIEJAR, samepath

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-02-22 13:10

Message:
Due to lack of feedback/response in this bug report, we close it.

Should there appear an informational response later on, we can
always re-open it again.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-02-01 19:46

Message:
A) 7.16.0 is over two years and 300+ bugfixes old. I'm sorry but we're not
able to deal with chasing for possible bugs in ancient versions!

B) If this truly is something bad I would need an exact description,
possibly with specific public sites to use or fully recorded headers
(rqeuests + responses) so I can repeat it myself and get a chance to
analyze it before I decide on if this is a bug or not and if so how to fix
it.

----------------------------------------------------------------------

Comment By: actuator (actuator)
Date: 2009-02-01 17:29

Message:
[version] => 7.16.0

Since this is in the Netscape spec but behaves differently to browsers,
can you suggest the best way to fix it?
The hack I have to use at the moment is terrible.

I could possibly patch the source myself but I haven't been able to work
out how to build php_curl for Windows.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-01-29 22:11

Message:
What libcurl version did you see this happen on?

And about the path, the good old netscape spec says this about it:

"If the path is not specified, it as assumed to be the same path as the
document being described by the header which contains the cookie. "

----------------------------------------------------------------------

Comment By: actuator (actuator)
Date: 2009-01-29 01:33

Message:
The path at which the new cookie is set (long?pathwithvariab) contains
forward slashes and is 427 characters long in total. The path in the
cookiefile for the new cookie is 248 characters long and truncated
precisely on one of the forward slashes.

----------------------------------------------------------------------

Comment By: actuator (actuator)
Date: 2009-01-29 01:26

Message:
I just noticed in the cookiefile.txt the full web path is being stored for
the new cookie which seems very unusual and probably where the bug lies.
The Set-Cookie header doesn't specify the path:

Set-Cookie:
some_value=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB;
Expires=Thu, 28-Jan-2010 20:00:00 GMT; Secure

but in cookiefile.txt:

# Netscape HTTP Cookie File
# http://curlm.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

www.server1.com FALSE /path1/ TRUE 4 some_value AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

.server2.com TRUE / FALSE 1 a 1234
.server2.com TRUE / FALSE 1 b 1234
.server2.com TRUE / FALSE 2 c 1234

www.server1.com FALSE /path1/long?pathwithvariables=in&pathwithvariables=in&pathwithvariables=in&pathwithvariables=in&pathwithvariables=in&pathwithvariables=in&pathwithvariables=in&pathwithvariables=in/ TRUE 4 some_value BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

.server2.com TRUE / FALSE 3 d 1234

Hopefully that illustrates the problem without the actual data.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2544227&group_id=976
Received on 2009-02-22