Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Set-Cookie not overwriting anymore / behavior change between 7.47.1 and 7.61.1 #3299
Note, that I'm using the code from Microsoft/ASP.NET Core and haven't done anything particular in the server code, I'm not manipulating the cookie, just a basic SignIn / SignOut which takes care of sending the Set-Cookie command back to the curl client.
With a 7.47.1, it is working fine. After the logout I'm getting the cookie cleaned out from my cookie-jar.
With a 7.61.1, it is failing. The cookie remains in my cookie-jar, hence my session remains opened and active and I can't sign out. A simple change of curl.exe, with the exact same command line, suffices to replicate the issue.
cookiejar.txt: ==>NOT GETTING CLEANED
So basically, Set-Cookie cookieModuleXXX="" is not overwriting and emptying my cookie-jar with the 7.61.1 as it was done in 7.47.1. Am I missing something? Is the new behavior making more sense for a reason I'm not getting?
Hm, this seems to happen when the last cookie is removed from the internal cookie stash in memory as then it skips writing the file since there are no cookies to save... This has actually always been the case, but in recent years we've enhanced the expiring of cookies internally so it has then caused this side-effect.
I suppose the end result here is that we can't avoid writing the file even if there aren't any cookies left, for exactly this reason!
added a commit
Nov 22, 2018
referenced this issue
Nov 22, 2018
@daboul one fairly easy work-around is for you to ask curl to first read some irrelevant cookies from a local file that will remain in the cookie cache in memory (and never sent off since they won't match), as then it will have to write those to the cookie jar again later.
Or to change file names when you write the cookies as then you'll note that the file is missing which then means no cookies to load.
@jzakrzewski I agree and I'm actually surprised because I'm using the vanilla ASP.NET Core server with cookie authentication and I was expecting that calling SignOut server side would invalidate some kind of server side session, so that even if the client comes back with the cookie again, it won't get accepted and the authentication would fail. But it is not the case, I'll try to dig a little bit on the server part as well.
@bagder Thank you.
@jzakrzewski Indeed the default implementation of ASP.NET Core with the Cookie Authentication activated is stateless so I need the cookie to get destroyed by the client. I could add a session server side but making the server stateful would have important impact on the overall architecture and would be an overkill just to workaround this issue. Reference: https://stackoverflow.com/questions/48589373/is-it-asp-net-core-cookie-authentication-without-identity-session-stateless-yes/53433223#53433223
@bagder with the current delivery process which I'm not familiar with, when can we expect a new official package with that fix? Asking to decide whether I should build it myself or wait for the official package.