Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl doesn't expire cookies with negative Max-Age #9930

Closed
godmar opened this issue Nov 17, 2022 · 0 comments
Closed

curl doesn't expire cookies with negative Max-Age #9930

godmar opened this issue Nov 17, 2022 · 0 comments
Assignees
@bagder
Labels
cookies

Comments

@godmar
Copy link

godmar commented Nov 17, 2022

I noticed that when curl receives a Set-Cookie header with Max-Age=-1 (or any negative number) it will not immediately expire the cookie. Rather, the cookie will stay in the cookie jar when curl exits.

I believe that this is related to c3fdeca which works only for Max-Age=0, see Issue #3351.

However, @Badger quotes RFC6265 in this comment as stating that:

If delta-seconds is less than or equal to zero (0) ....

In my opinion, patch c3fdeca may work only if delta-seconds is equal to zero and not if it is less than. I have verified this with a server: when I send Max-Age: 0, the cookie is immediately removed from the cookie jar, whereas if I set Max-Age: -1 it is not removed until the next time I run curl -c ...

My output with Max-Age: -1

* Added cookie auth_token="" for domain localhost, path /, expire 0
< Set-Cookie: auth_token=; Path=/; Max-Age=-1; HttpOnly
...

next invocation:

> Cookie: auth_token=

and the cookie jar contains:

#HttpOnly_localhost	FALSE	/	FALSE	0	auth_token

By contrast, Max-Age=0 yields:

* Added cookie auth_token="" for domain localhost, path /, expire 1
< Set-Cookie: auth_token=; Path=/; Max-Age=0; HttpOnly

and the cookie is gone from the cookie jar.
@bagder bagder self-assigned this Nov 17, 2022
bagder added a commit that referenced this issue Nov 17, 2022
@bagder
cookie: expire cookies at once when max-age is negative
bf1cc91 
Update test 329 to verify

Reported-by: godmar on github
Fixes #9930
@bagder bagder mentioned this issue Nov 17, 2022
Closed
@bagder bagder added the cookies label Nov 17, 2022
@bagder bagder closed this as completed in cc3d517 Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
cookies
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cookie: expire cookies at once when max-age is negative curl/curl
2 participants
@bagder @godmar