Skip to content

curl sending expired cookie in 7.62.0 #3351

@jeroen

Description

@jeroen

After updating to 7.62.0 one of my unit tests started failing. The problem is that when the server unsets a cookie, and the libcurl client makes a subsequent request within 1 second after the response, curl will include the deleted cookie in the request.

Example:

I run into this with the R bindings, not sure if there is an easy way to reproduce in the cmd line. Basically the test performs the 4 steps below (using a single easy handle)

  1. create new easy handle, set curlopt_verbose = 1
  2. perform request to https://httbin.org/cookies/set?foo=123&bar=456. The server responds:
...
* Added cookie foo="123" for domain eu.httpbin.org, path /, expire 0
< Set-Cookie: foo=123; Secure; Path=/
* Added cookie bar="456" for domain eu.httpbin.org, path /, expire 0
< Set-Cookie: bar=456; Secure; Path=/
  1. perform subsequent request to https://httpbin.org/cookies/delete?bar. The server responds:
...
* Replaced cookie bar="" for domain eu.httpbin.org, path /, expire 1544281853
< Set-Cookie: bar=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

Hence the bar cookie has been marked as expired by the server.

  1. immediately perform another request https://httpbin.org/cookies. Now libcurl will send:
* Found bundle for host eu.httpbin.org: 0x101b3ead0 [can pipeline]
* Re-using existing connection! (#2) with host eu.httpbin.org
* Connected to eu.httpbin.org (34.246.221.52) port 443 (#2)
> GET /cookies HTTP/1.1
Host: eu.httpbin.org
User-Agent: R (3.5.1 x86_64-apple-darwin15.6.0 x86_64 darwin15.6.0)
Accept: */*
Accept-Encoding: gzip, deflate
Cookie: bar=; foo=123

Note the last line. It is including the expired bar= cookie which seems wrong. In previous versions of curl it would correctly omit the expired bar and just send Cookie: foo=123 instead.

Also note that the problem does not appear if you wait at least 1 second between step 3 and 4.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions