[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly

From: Lars Ingebrigtsen
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sun, 15 Apr 2018 21:47:35 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Alain Schneble <address@hidden> writes:

> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly.  url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies.  This is wrong.  See also
> RFC6265 HTTP State Management Mechanism, section
> https://www.rfc-editor.org/rfc/rfc6265.txt.
> Here's a recipe to reproduce this issue:
> - emacs -Q
> - Eval the following fragment:
>   (let ((file (make-temp-file "CookieHttpOnly")))
>     (with-temp-buffer
>       (insert
>        "(setq url-cookie-storage nil)\n"
>        "(setq url-cookie-secure-storage nil)")
>       (write-file file))
>     (setq url-cookie-file file)
>     (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile";)
>     (url-cookie-write-file)
>     (find-file file))
> - The visited cookies file should now contain two cookie entries:
>   ("en.wikipedia.org"
>         [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 
> 12:00:00 GMT" "/" "en.wikipedia.org" t]
>         [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" 
> "en.wikipedia.org" t])
>   => The second cookie entry is not expected.

I'm unable to reproduce this now, and I seem to vaguely remember this
being fixed a while ago?  Are you still seeing this, Alan?

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]