We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Given the following tiny Go HTTP server
package main import ( "net/http" ) func set(rw http.ResponseWriter, _ *http.Request) { http.SetCookie(rw, &http.Cookie{ Name: "session-token", Value: "token here", Secure: true, HttpOnly: false, SameSite: http.SameSiteNoneMode, }) rw.Write(nil) } func get(rw http.ResponseWriter, req *http.Request) { cookie, err := req.Cookie("session-token") if err != nil { rw.Write(nil) return } rw.Write([]byte(cookie.Value)) } func main() { http.HandleFunc("/set-cookie", set) http.HandleFunc("/get-cookie", get) panic(http.ListenAndServe(":8090", nil)) }
If you set the cookie to a session with the following command
http --session=./session.json GET http://localhost:8090/set-cookie
I would expect to be able to get the cookie value by the next running
http --session=./session.json GET http://localhost:8090/get-cookie
However, the cookie is unset in the second request if the Secure flag is set to true.
As per the spec; A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
This appears to be mishandled in httpie, as it is not sending secure cookies when localhost is used.
Secure cookies are sent in localhost requests even if https is not in use
Secure cookies are not set
The text was updated successfully, but these errors were encountered:
Thanks for the report @Oliver-Fish, we are looking into it.
Sorry, something went wrong.
Successfully merging a pull request may close this issue.
Checklist
Minimal reproduction code and steps
Given the following tiny Go HTTP server
If you set the cookie to a session with the following command
I would expect to be able to get the cookie value by the next running
However, the cookie is unset in the second request if the Secure flag is set to true.
As per the spec;
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
This appears to be mishandled in httpie, as it is not sending secure cookies when localhost is used.
Expected Behavior
Secure cookies are sent in localhost requests even if https is not in use
Actual Behavior
Secure cookies are not set
The text was updated successfully, but these errors were encountered: