New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: SetCookie is creating invalid headers #29804

Open
Rickgrendel opened this Issue Jan 18, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@Rickgrendel
Copy link

Rickgrendel commented Jan 18, 2019

What version of Go are you using (go version)?

$ go version
go version go1.11.2 windows/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Rick\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\Rick\Documents\projects\cerebral\
set GOPROXY=
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Rick\AppData\Local\Temp\go-build507667558=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create a secure cookie with github.com/gorilla/securecookie (wich from their side works) and create a cookie with http.setcookie()

var hashKey = []byte("testkey") //for testing purpopes
var blockKey = []byte(securecookie.GenerateRandomKey(32))

var s = securecookie.New(hashKey, blockKey)
  if encoded, err := s.Encode("cookie-name", value); err == nil {
    cookie := &http.Cookie{
      Name:     "cookie-name",
      Value:    encoded,
      Path:     "/",
      Secure:   true,
      HttpOnly: true,
    }

    http.SetCookie(*w, cookie) // w = *http.ResponseWriter

...

What did you expect to see?

In my REST client for testing I expected to see a valid Set-Cookie header but the header is written as setcookie and the Secure and HttpOnly flags are missing.

What did you see instead?

setcookie:cookiename=MTU0NzczNTM0N3xGOTJYUUw5TFNXZHI2dU9jT3hCeTZUTE5TaTBFNU1XN1F 5WGMzb3c1dGZRUENEU2xPZHFwTXJQLW8zND18_VCYxNVRbIAUrs9_8EcGpTUEiqVyYL_2M5Olbjhnkeg =; Path=/

An invalid cookie header created by http.setcookie()

@bradfitz bradfitz changed the title net/http: http.setcookie is creating invalid headers net/http: SetCookie is creating invalid headers Jan 18, 2019

@bradfitz

This comment has been minimized.

Copy link
Member

bradfitz commented Jan 18, 2019

Can you write an example that doesn't use third-party packages? (that is, how do we know this isn't a bug in securecookie or in your code connecting the two?)

And what part of the output do you think is invalid? We could figure it out, but it helps if you're more explicit in bug reports.

@bradfitz bradfitz added this to the Go1.13 milestone Jan 18, 2019

@Rickgrendel

This comment has been minimized.

Copy link
Author

Rickgrendel commented Jan 24, 2019

Okay, this is the code without third-party packages. Still the same result.

cookie := &http.Cookie{
  Name:     "cookie-name",
  Value:    "Hello World!",
  Path:     "/",
  Secure:   true,
  HttpOnly: true,
}

http.SetCookie(*w, cookie) // w = *http.ResponseWriter

The part that is invalid is that the header for the cookie is setcookie instead of Set-Cookie. Google Chrome doesn't even see the header.

@bradfitz

This comment has been minimized.

Copy link
Member

bradfitz commented Jan 24, 2019

@Rickgrendel, the string "setcookie" (in any case) does not appear in the Go source tree, so not sure why you think you see that.

I certainly don't see that: https://play.golang.org/p/G2J_7TnSA9n

We use Set-Cookie (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie etc)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment