Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client strips preceding dot in response.cookies values when cookie is set with preceding dot #3817

Open
juraseg opened this issue Jun 7, 2019 · 0 comments
Open

Client strips preceding dot in response.cookies values when cookie is set with preceding dot #3817

juraseg opened this issue Jun 7, 2019 · 0 comments

Comments

@juraseg
Copy link

juraseg commented Jun 7, 2019
edited

Long story short

I'm to set domain for cookies with preceding dot, for example ".example.com". On server I specify domain as ".example.com" and it sends proper headers.

I use aiohttp server, so I write tests using plugin for pytest. When testing I found that preceding dot is stripped from cookie domain when you check it using `response.cookies[<cookie_name>].domain. I've tried the same using aiohttp client and found that it has the same issue.

The leading dot in browser allows all subdomains to access cookie, while without it subdomain can't access cookies. This was found by testing browsers, despite what is said here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Expected behaviour

Cookies in response cookie to not strip leading dot from domain name.

Actual behaviour

Preceding dots are striped from domain names in response.cookies.

Steps to reproduce

Test code bellow.
Server:

from aiohttp import web


async def handle(request):
    response = web.json_response({})
    response.set_cookie('my_cookie', 'value', domain='.example.com')
    print(response.cookies)

    return response

app = web.Application()
app.add_routes([web.get('/', handle)])

web.run_app(app)

When receives request it outputs:

Set-Cookie: my_cookie=value; Domain=.example.com; Path=/

Client:

import aiohttp
import asyncio

async def main():
    async with aiohttp.ClientSession() as session:
        result = await session.get('http://localhost:8080/', headers={'Origin': 'subdomain.example.com'})
        for c in result.cookies:
            print(f'{c}={result.cookies[c]}')
        print(result.headers)

loop = asyncio.get_event_loop()
loop.run_until_complete(main())

When run it outputs:

my_cookie=Set-Cookie: my_cookie=value; Domain=example.com; Path=/
<CIMultiDictProxy('Content-Type': 'application/json; charset=utf-8', 'Content-Length': '2', 'Set-Cookie': 'my_cookie=value; Domain=.example.com; Path=/', 'Date': 'Fri, 07 Jun 2019 09:40:26 GMT', 'Server': 'Python/3.7 aiohttp/3.5.4')>

You can see that client receives "Set-Cookie" header with domain ".example.com", but when accessing it using response.cookies the cookie has domain "example.com".

Your environment

Python 3.7.2
ArchLinux
aiohttp==3.5.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@juraseg