Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies with empty domain are not stored, this is contrary to RFC and standard browser practice #9164

gwenshap opened this issue Jul 15, 2022 · 0 comments


Copy link

I did this

curl -v -c cookies.txt -X POST --header 'Content-Type: application/json' --data-raw $'{\n    "email": "blahblah",\n    "password": "xxx"\n}' -i

Part of the result was a cookie:

Set-Cookie: token=eyJhbGciblahblah;Version=1;Domain=;Path=/;Max-Age=86400;HttpOnly

Note that the Domain is an empty string.

I expected the following

Expected curl to store the cookie using the hostname as a domain (i.e. treat it the same as if the field was completely missing).

RFC 6265 has this behavior as "client should", and most browsers support it (Chrome:;l=290)

curl/libcurl version

curl 7.79.1 (x86_64-apple-darwin21.0) libcurl/7.79.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.45.1
Release-Date: 2021-09-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

operating system

MacOS Monterey 12.4

Darwin 21.5.0 Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:37 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T6000 arm64
@bagder bagder self-assigned this Jul 18, 2022
@bagder bagder added the HTTP label Jul 18, 2022
bagder added a commit that referenced this issue Jul 18, 2022
This matches what RFC 6265 section 5.2.3 says.

Extended test 31 to verify.

Fixes #9164
Reported-by: Gwen Shapira
@bagder bagder closed this as completed in 4c0ac2a Jul 19, 2022
@bagder bagder added the cookies label Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Successfully merging a pull request may close this issue.

2 participants