cURL / Mailing Lists / curl-users / Single Mail

curl-users

Bugs with cookies

From: Clay Loveless <lists_at_crawlspace.com>
Date: Tue, 26 Feb 2002 02:04:38 -0800

Hello --

I believe I've found that the current stable version of curl has some cookie
bugs.

Curl version:
curl 7.9.4 (powerpc-apple-darwin1.4) libcurl 7.9.4 (OpenSSL 0.9.6b)

URL tested:
Testing an SSL post to https://my.screenname.aol.com/_cqr/login/login.psp

Description of Problem:
I've used the "cookiejar" option to save cookies between requests. In
addition, I've dumped response headers so that I can compare against the two
... And have found that they are frequently not the same. Specifically,
Set-cookie headers that are not precisely formatted are problematic.

Example:
Header dump shows:
Set-Cookie:MC_SITE_ACT=8XKhv6+CpWmcr24rn3RRwUqB7GJW+Iypy4IH0yrcJVRHLKgGdg1YX
5APRKdyMOUg6Qw4NcUHe+Y=; path=/; domain=my.screenname.aol.com;

Cookiejar records:
my.screenname.aol.com FALSE / FALSE 0 C_SITE_ACT
8XKhv6+CpWmcr24rn3RRwUqB7GJW+Iypy4IH0yrcJVRHLKgGdg1YX5APRKdyMOUg6Qw4NcUHe+Y=

In addition, I've made requests to this same page with a browser and tcpflow
to watch the comings and goings of cookies. The browser seems to be sending
far fewer cookies than cURL is "seeing" and/or recording.

In the example above, there are many duplicates in the cookiejar file for
domains of "my.screenname.aol.com" and "screenname.aol.com". The
"screenname.aol.com" entries are listed first in the cookiejar file, and
have accurate values... However, the "my.screenname.aol.com" values are
listed below the "non-my" entries, and have blank values. Unfortunately,
those are the values that appear to be sent back on subsequent requests.

For what it's worth, AOL's servers are pretty erratic about their cookie
formatting... Here are a few other examples of what they send:

Set-cookie: MC_MS_LDC=x; path=/ ; domain=screenname.aol.com; expires=Fri,
31-Dec-1980 23:59:59 GMT;

(note space after / in path)

Some of their headers are "Set-cookie", others are "Set-Cookie" ... And
about 80% of their cookie headers don't end in semi-colons, many of which do
not get written properly to the cookiejar file (if they get written at all).

I'm in dire need of a reliable cookie handler ... If there's anything else I
can document to clarify this problem, please let me know. I know that some
of these issues have come up in the past (according to the changelog and
list archives) ... But unfortunately some of them appear to still be
lingering.

Please let me know if I can help out on this further.

Regards,
-Clay

___________________________
Clay Loveless
Webmaster, Crawlspace
http://www.crawlspace.com/
Received on 2002-02-26