-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set-Cookie silently no longer sent without domain #6723
Comments
(This may have been an inadvertent change, I don't remember but I also don't find any explicit commit saying this.) The problem is that without a specific domain for the cookie, curl won't know for what sites to use the cookie and it would then presume it is for all domains you specify on the command line, and that's probably not many users want. The internal cookie engine needs a (single specific) domain to "attach" the cookie to. The solution is to store cookies with -c as a cookie-jar instead of just saving HTTP headers with partial information. This is a behavior change and as such it is a bug, but I don't think this is one that we'll benefit a lot by fixing. Especially not if it has been this way for 2.5 years already... |
Actually, I think we have to fix it. Cookies with the |
I'm taking a crack at this, along with some other cookie related things I had on my TODO while in there. |
I doubt I'm adding any value here, but I was changing code that had been passing the cookie like this:
That works in all versions of curl that I tried, so there must already be some code path that's happy with at least one cookie without a domain (perhaps that's what @danielgustafsson told us already). My goal was to hide the cookie's value from the process list. I did read:
... from https://everything.curl.dev/http/cookies but the cookiejar format from https://curl.se/docs/http-cookies.html made me think "surely I don't need that complexity". I was sad not to be able to use |
You mean by using that specific syntax? The command line tool is unfortunately wildly inconsistent in how you specify a file to read vs plain content, when the same option can do both. |
I don't think I even tried that before disabusing myself of that hope from the man page. The man page did hint that I might need a "Set-Cookie: " prefix in the file, but it was subtle enough that I don't think I took the hint without StackOverflow's help. A comment on StackOverflow then misled me into thinking I needed a semi-colon on the end. I'm not sure where I learned that I did need a newline on the end - otherwise no cookie is sent, though there's no warning to say "I spurn your half-baked --cookie!". Ooh, I see the man page does clearly state that omitting the domain is allowed:
|
...
The man page says:
... and cookie headers ("Set-Cookie style") of course need to be headers and a HTTP header always ends with a newline. In my mind that is clear but perhaps that should be clarified better. I now assume that when you talked about If you only did this to hide the cookie from PS output you could instead go with:
|
Indeed. I'd value a single example in the man page, one that stopped me fretting over whether a Set-Cookie: header includes the Set-Cookie: bit or the trailing punctuation, one that would help users of existing versions too, over that ~suggestion.
And because |
At the point in time when libcurl reads the cookie file from disk it hasn't parsed the provided URL yet so it doesn't even know what host name it will use from there and therefore it cannot easily use that as for example a default domain for headers stored without it. I'll keep my position that I think we should rather document this behavior and urge people to not load cookies from stored HTTP headers but instead use the more "appropriate" cookie jar format for that purpose. Or provide the |
... or the cookies won't get sent. Push users to using the "Netscape" format instead, which curl uses when saving a cookie "jar". Reported-by: Martin Dorey Fixes #6723
I did this
With 7.60.0, I get no cookie sent:
I expected the following
... as seen in:
curl/libcurl version
operating system
If I add an appropriate domain to the Set-Cookie file, then all is well:
Why am I sending you a bug report on a version from 3 years ago? Because I suspect that the cause of my pain is a change in this version, specifically b8d5036, which I will attempt to demonstrate by nobbling part of it and showing that the cookie returns:
I have no problem with the Set-Cookie file format requiring a domain. It would be nice if the requirement were documented, though the documentation for this file format is... skimpy. I suspect that this was an accidental change in behavior, a side-effect of a doubtless worthy performance improvement. If it's a change that trips up others, then they might appreciate finding a bug report that nudges them in the direction of adding a domain.
The text was updated successfully, but these errors were encountered: