-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
Description
After updating to 7.62.0 one of my unit tests started failing. The problem is that when the server unsets a cookie, and the libcurl client makes a subsequent request within 1 second after the response, curl will include the deleted cookie in the request.
Example:
I run into this with the R bindings, not sure if there is an easy way to reproduce in the cmd line. Basically the test performs the 4 steps below (using a single easy handle)
- create new easy handle, set curlopt_verbose = 1
- perform request to
https://httbin.org/cookies/set?foo=123&bar=456
. The server responds:
...
* Added cookie foo="123" for domain eu.httpbin.org, path /, expire 0
< Set-Cookie: foo=123; Secure; Path=/
* Added cookie bar="456" for domain eu.httpbin.org, path /, expire 0
< Set-Cookie: bar=456; Secure; Path=/
- perform subsequent request to
https://httpbin.org/cookies/delete?bar
. The server responds:
...
* Replaced cookie bar="" for domain eu.httpbin.org, path /, expire 1544281853
< Set-Cookie: bar=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
Hence the bar
cookie has been marked as expired by the server.
- immediately perform another request
https://httpbin.org/cookies
. Now libcurl will send:
* Found bundle for host eu.httpbin.org: 0x101b3ead0 [can pipeline]
* Re-using existing connection! (#2) with host eu.httpbin.org
* Connected to eu.httpbin.org (34.246.221.52) port 443 (#2)
> GET /cookies HTTP/1.1
Host: eu.httpbin.org
User-Agent: R (3.5.1 x86_64-apple-darwin15.6.0 x86_64 darwin15.6.0)
Accept: */*
Accept-Encoding: gzip, deflate
Cookie: bar=; foo=123
Note the last line. It is including the expired bar=
cookie which seems wrong. In previous versions of curl it would correctly omit the expired bar
and just send Cookie: foo=123
instead.
Also note that the problem does not appear if you wait at least 1 second between step 3 and 4.