You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When visiting (logging in to) zh.wikisource.org, cookies for the following domain are set:
.wikisource.org
If one visits wikisource.org afterwards, cookies for the following domain are set:
wikisource.org
After i.e. logout from zh.wikisource.org, zh.wikisource.org sends cookie invalidation request for .wikisource.org. Requests invalidates them correctly, leaves wikisource.org cookies untouched correctly.
But for further communication with zh.wikisource.org, requests incorrectly use remaining wikisource.org cookie. Which is rejected by zh.wikisource.org and followed by cookie invalidation request for .wikisource.org.
Expected Result
It looks like the cookie handling library used by requests is doing something wrong (at least according to the RFCs), as it should not send the host-only cookie for wikisource.org to zh.wikisource.org. If it's using RFC 2109, "zh.wikisource.org" does not domain-match the cookie for "wikisource.org" because "wikisource.org" doesn't begin with a dot. If it's using RFC 6265, the domainless cookie for "wikisource.org" should have had the host-only-flag set meaning it should not be sent to "zh.wikisource.org". OTOH, it's possible it's being bug-compatible with browsers (RFC 6265 even notes that such a bug exists/existed in some agents in § 4.1.2.3).
Actual Result
As written above, requests use wikisource.org cookie for zh.wikisource.org. Which is rejected by zh.wikisource.org and followed by cookie invalidation request for .wikisource.org". That is fulfilled (no cookies for .wikisource.org are set), but requests still tries to push cookies for wikisource.org to zh.wikisource.org. So the actual result is endless loop (https://travis-ci.org/github/wikimedia/pywikibot/jobs/669558038#L13763).
The text was updated successfully, but these errors were encountered:
dvorapa
changed the title
Incorrect cookie handling
Incorrect cookie handling: third level domains use second level domain cookies
Apr 2, 2020
dvorapa
changed the title
Incorrect cookie handling: third level domains use second level domain cookies
Incorrect cookie handling: third level domain uses second level domain cookies, ends up in endless loop
Apr 2, 2020
dvorapa
changed the title
Incorrect cookie handling: third level domain uses second level domain cookies, ends up in endless loop
Incorrect cookie handling: third level domain incorrectly uses second level domain cookies
Apr 2, 2020
When visiting (logging in to) zh.wikisource.org, cookies for the following domain are set:
If one visits wikisource.org afterwards, cookies for the following domain are set:
After i.e. logout from zh.wikisource.org, zh.wikisource.org sends cookie invalidation request for .wikisource.org. Requests invalidates them correctly, leaves wikisource.org cookies untouched correctly.
But for further communication with zh.wikisource.org, requests incorrectly use remaining wikisource.org cookie. Which is rejected by zh.wikisource.org and followed by cookie invalidation request for .wikisource.org.
Expected Result
It looks like the cookie handling library used by requests is doing something wrong (at least according to the RFCs), as it should not send the host-only cookie for wikisource.org to zh.wikisource.org. If it's using RFC 2109, "zh.wikisource.org" does not domain-match the cookie for "wikisource.org" because "wikisource.org" doesn't begin with a dot. If it's using RFC 6265, the domainless cookie for "wikisource.org" should have had the host-only-flag set meaning it should not be sent to "zh.wikisource.org". OTOH, it's possible it's being bug-compatible with browsers (RFC 6265 even notes that such a bug exists/existed in some agents in § 4.1.2.3).
Actual Result
As written above, requests use wikisource.org cookie for zh.wikisource.org. Which is rejected by zh.wikisource.org and followed by cookie invalidation request for .wikisource.org". That is fulfilled (no cookies for .wikisource.org are set), but requests still tries to push cookies for wikisource.org to zh.wikisource.org. So the actual result is endless loop (https://travis-ci.org/github/wikimedia/pywikibot/jobs/669558038#L13763).
Reproduction Steps
Simple:
Elaborate:
System Information
Reproduced on many PCs with many configurations and also on Travis-CI. Here is one:
Links:
Reported and described in more detail in: https://phabricator.wikimedia.org/T224712
Reproducible immediately in: https://repl.it/repls/HarmfulBiodegradableExperiments
Pastebin (just in case): https://pastebin.com/7d7Dn9p1
The text was updated successfully, but these errors were encountered: