Skip to content

Delete multiple cookie with same-key when Path is different but Domain is specified #32897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 24, 2021
Merged

Delete multiple cookie with same-key when Path is different but Domain is specified #32897

merged 5 commits into from
May 24, 2021

Conversation

@wcontayon
Copy link
Contributor

@wcontayon wcontayon commented May 21, 2021
edited
Loading

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

PR Title
Fix multiple cookies deletion with same-key when Path is different but Domain is specified

PR Description
Update the cookie reject predicate to add a new condition that take into account the domain and the path.

(https://github.com/wcontayon/AspNetCore/blob/038557748532e6cc0eeff304ab5cbd7f147f7e72/src/Http/Http/src/Internal/ResponseCookies.cs#L162-L168)

Addresses #30579

@ghost ghost added area-runtime community-contribution Indicates that the PR has been added by a community member labels May 21, 2021
BrennanConroy
BrennanConroy reviewed May 21, 2021
View reviewed changes
src/Http/Http/test/ResponseCookiesTest.cs Outdated

var cookieHeaderValues = headers.SetCookie.ToArray();
Assert.True(cookieHeaderValues.Length == testCookies.Length);
Assert.All(cookieHeaderValues, cookie => Assert.Contains("path=/", cookie));
Copy link
Member

@BrennanConroy BrennanConroy May 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be verifying the full path and domain are set in the response

https://tools.ietf.org/search/rfc6265#section-3.1
Finally, to remove a cookie, the server returns a Set-Cookie header
with an expiration date in the past. The server will be successful
in removing the cookie only if the Path and the Domain attribute in
the Set-Cookie header match the values used when the cookie was
created.

wcontayon and others added 2 commits May 21, 2021 18:52
@wcontayon wcontayon requested a review from BrennanConroy May 21, 2021 20:16
@BrennanConroy BrennanConroy self-assigned this May 21, 2021
BrennanConroy
BrennanConroy reviewed May 21, 2021
View reviewed changes
src/Http/Http/test/ResponseCookiesTest.cs Outdated
Assert.Equal(testCookies.Length, cookieHeaderValues.Length);

var deletedCookies = cookieHeaderValues.ToArray();
Assert.Contains(deletedCookies, cookie => cookie.StartsWith("key1", StringComparison.InvariantCulture) && cookie.Contains("path=/"));
Copy link
Member

@BrennanConroy BrennanConroy May 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't test for just "path=/" because it matches both cookies, so we're not actually testing that both are there 😄

Copy link
Contributor Author

@wcontayon wcontayon May 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Effectively 🙂.
In this case, we can improve the testing with specific path "/path1/", "path2/",and test the matching.

Tratcher
Tratcher reviewed May 21, 2021
View reviewed changes
Tratcher
Tratcher reviewed May 21, 2021
View reviewed changes
BrennanConroy
BrennanConroy approved these changes May 24, 2021
View reviewed changes
src/Http/Http/src/Internal/ResponseCookies.cs
{
rejectPredicate = (value, encKeyPlusEquals, opts) =>
value.StartsWith(encKeyPlusEquals, StringComparison.OrdinalIgnoreCase) &&
value.IndexOf($"domain={opts.Domain}", StringComparison.OrdinalIgnoreCase) != -1 &&
Copy link
Member

@BrennanConroy BrennanConroy May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: in the future we can consider removing these string allocs, don't change this PR

@BrennanConroy BrennanConroy merged commit 15fedb4 into dotnet:main May 24, 2021
@ghost ghost added this to the 6.0-preview6 milestone May 24, 2021
@BrennanConroy
Copy link
Member

BrennanConroy commented May 24, 2021

Thanks @wcontayon !

@wcontayon wcontayon deleted the 30579-delete_multiple_same-key_cookies branch May 24, 2021 16:48
@BrennanConroy BrennanConroy mentioned this pull request May 24, 2021
Closed
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tratcher Tratcher Tratcher approved these changes

@BrennanConroy BrennanConroy BrennanConroy approved these changes

+1 more reviewer

@adr31 adr31 adr31 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@BrennanConroy BrennanConroy

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

6.0-preview6

Development

Successfully merging this pull request may close these issues.

5 participants

@wcontayon @BrennanConroy @Tratcher @adr31 @amcasey