Skip to content

Set-Cookie not overwriting anymore / behavior change between 7.47.1 and 7.61.1 #3299

Closed
@daboul

Description

@daboul

Hi.
I have a simple server (ASP.NET Core) with cookie Authentication that is sending to my curl client a Set-Cookie at login, and another one to overwrite the same cookie at logout. The curl client is using a cookie-jar file to store the cookie.

Note, that I'm using the code from Microsoft/ASP.NET Core and haven't done anything particular in the server code, I'm not manipulating the cookie, just a basic SignIn / SignOut which takes care of sending the Set-Cookie command back to the curl client.

With a 7.47.1, it is working fine. After the logout I'm getting the cookie cleaned out from my cookie-jar.

LOGIN 7.47.1
HTTP server response:

* Added cookie cookieModuleXXX="CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-..." for domain localhost, path /XXX/YYY, expire 1542884051
< Set-Cookie: cookieModuleXXX=CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-...; expires=Thu, 22 Nov 2018 10:54:11 GMT; path=/XXX/YYY; secure; samesite=lax; httponly

cookiejar.txt:
#HttpOnly_localhost FALSE /XXX/YYY TRUE 1542884051 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-...

LOGOUT 7.47.1
HTTP server response:

* Replaced cookie cookieModuleXXX="" for domain localhost, path /XXX/YYY, expire 1
< Set-Cookie: cookieModuleXXX=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/XXX/YYY; samesite=lax

cookiejar.txt: ==>EMPTY

With a 7.61.1, it is failing. The cookie remains in my cookie-jar, hence my session remains opened and active and I can't sign out. A simple change of curl.exe, with the exact same command line, suffices to replicate the issue.

LOGIN 7.61.1
HTTP server response:

* Added cookie cookieModuleXXX="CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_..." for domain localhost, path /XXX/YYY, expire 1542881087
< Set-Cookie: cookieModuleXXX=CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...; expires=Thu, 22 Nov 2018 10:04:47 GMT; path=/XXX/YYY; samesite=lax; httponly

cookiejar.txt:
#HttpOnly_localhost FALSE /XXX/YYY FALSE 1542881087 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...

LOGOUT 7.61.1
HTTP server response:

* Replaced cookie cookieModuleXXX="" for domain localhost, path /XXX/YYY, expire 1
< Set-Cookie: cookieModuleXXX=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/XXX/YYY; samesite=lax

cookiejar.txt: ==>NOT GETTING CLEANED
#HttpOnly_localhost FALSE /XXX/YYY FALSE 1542881087 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...

So basically, Set-Cookie cookieModuleXXX="" is not overwriting and emptying my cookie-jar with the 7.61.1 as it was done in 7.47.1. Am I missing something? Is the new behavior making more sense for a reason I'm not getting?

Thank you,
David.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions