Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClientSession is leaking cookies across hostnames #792

Closed
panda73111 opened this issue Feb 19, 2016 · 4 comments
Closed

ClientSession is leaking cookies across hostnames #792

panda73111 opened this issue Feb 19, 2016 · 4 comments

Comments

@panda73111
Copy link
Contributor

Since ClientSession does not link cookies to hostnames, all cookies are sent with every request made using the same session. This leaks cookies across hostnames. Even when using a seperate session for each hostname specific request, the session cookies are sent across HTTP 3xx redirects.

The intuitive fix would be connecting the cookies to their hostname within ClientSession. I'll try to write a patch and test cases if no one has a better idea.

@asvetlov
Copy link
Member

Yes, the issue describes a very serious bug.
But solution is not so easy.
I afraid: if aiohttp client should mimic cookie processing by modern browsers it should respect subdomains also and CORS. The first is relative easy but emulating withCredentials for CORS is a real nightmare.

@panda73111 panda73111 mentioned this issue Feb 22, 2016
5 tasks
@gwillem
Copy link
Contributor

gwillem commented Mar 4, 2016

Thanks @panda73111 for your PR. I use aiohttp to crawl half the internet and I could not explain why my outbound traffic was 20x inbound, until I ran tcpdump ;-)

@gwillem gwillem mentioned this issue Mar 7, 2016
2 tasks
@asvetlov asvetlov added the sprint label Jun 2, 2016
@asvetlov
Copy link
Member

asvetlov commented Jun 3, 2016

Fixed by Cookie filter #799

@lock
Copy link

lock bot commented Oct 29, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants