-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl sending expired cookie in 7.62.0 #3351
Comments
RFC 6265 says the following for the Max-Age value:
... but the libcurl code seems to wrongly treat zero as any other value and therefore it won't expire this cookie within the same second: Lines 669 to 684 in d997aa0
@danielgustafsson, you've looked at cookies recently. Would you agree? |
#3352 is my proposed fix with a new test to verify it |
I agree with your interpretation of the RFC and your fix. |
Thanks for the quick fix. Hopefully this makes it into the upcoming release! |
After updating to 7.62.0 one of my unit tests started failing. The problem is that when the server unsets a cookie, and the libcurl client makes a subsequent request within 1 second after the response, curl will include the deleted cookie in the request.
Example:
I run into this with the R bindings, not sure if there is an easy way to reproduce in the cmd line. Basically the test performs the 4 steps below (using a single easy handle)
https://httbin.org/cookies/set?foo=123&bar=456
. The server responds:https://httpbin.org/cookies/delete?bar
. The server responds:Hence the
bar
cookie has been marked as expired by the server.https://httpbin.org/cookies
. Now libcurl will send:Note the last line. It is including the expired
bar=
cookie which seems wrong. In previous versions of curl it would correctly omit the expiredbar
and just sendCookie: foo=123
instead.Also note that the problem does not appear if you wait at least 1 second between step 3 and 4.
The text was updated successfully, but these errors were encountered: