wrap-session middleware doesn't url-decode the cookie before using it. #28
Conversation
|
This patch seems like it's fixing the symptoms, rather than the root cause of the problem. If cookie values are not being url-encoded under some circumstances, this is a problem to be fixed in the cookie middleware. Do you know under what conditions this bug occurs? |
|
Hi, I am not sure if the cookie middleware should be able to tell if the cookie data is url-encoded or not because not all cookies will get url-encoded. I can reproduce the problem when I use the session middlware to store the session in an encrypted cookie. When the encrypted data is base64 encoded it yields a string with characters like If you still believe it should be in the cookie middleware I am willing to rework the patch. Thanks. |
|
It is unlikely that the browser is the cause. Browsers do not automatically url-encode cookies, and whilst it's possible that there could be some Javascript url-encoding cookie values, it doesn't seem that likely. The Ring cookie middleware does url-encode cookie values in order to ensure special characters can be safely added. Perhaps this problem is caused by the cookie middleware being applied twice, or perhaps there is some url-encoding going on elsewhere that is causing this problem. But in all cases, we need to discover the cause of the bug before we attempt a solution. If we do not understand why the session key is mysteriously url-encoded, then we shouldn't try and fix it by patching the symptoms. We should instead attempt to understand the cause, and fix the problem at the root. |
Remove reflection warnings in ring-core
I faced a weird bug today wherein the browser was sending the cookie string back to the server after url-encoding it and wrap-session tried decrypting the cookie without decoding the encoded cookie.
I am attaching a trivial patch that fixes the problem. url-decoding is idempotent so it won't affect anything even when the cookie is not url-encoded.