Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
curl sending expired cookie in 7.62.0 #3351
After updating to 7.62.0 one of my unit tests started failing. The problem is that when the server unsets a cookie, and the libcurl client makes a subsequent request within 1 second after the response, curl will include the deleted cookie in the request.
I run into this with the R bindings, not sure if there is an easy way to reproduce in the cmd line. Basically the test performs the 4 steps below (using a single easy handle)
Note the last line. It is including the expired
Also note that the problem does not appear if you wait at least 1 second between step 3 and 4.
RFC 6265 says the following for the Max-Age value:
... but the libcurl code seems to wrongly treat zero as any other value and therefore it won't expire this cookie within the same second:
@danielgustafsson, you've looked at cookies recently. Would you agree?