cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Bugs with cookies

From: Clay Loveless <lists_at_crawlspace.com>
Date: Thu, 28 Feb 2002 08:30:39 -0800

Okay, this is a representative example of what I get back in terms header
dump from an SSL form posting:

Assume the form is: https://my.name.foo.com/_cqr/login.cgi

Set-cookie: MC_CMP_ESK=iwcTvz8TLzVnqzp6yF31fA==; path=/; domain=.foo.com
Set-cookie: MC_MS_LDC=1 - - 1014883477 1 1014883477 0; path=/ ;
domain=name.foo.com; expires=Fri, 31-Dec-2005 23:59:59 GMT;
Set-cookie: MC_MS_LDC=1 - - 1014883477 1 1014883477 0; path=/ ;
domain=name.foo.com; expires=Fri, 31-Dec-2005 23:59:59 GMT;
Set-cookie: WA_TMCJ_S=diAyMDAga2lkIDYz; path=/_cqr; domain=name.foo.com
Set-cookie: WA_TMCJ_ESK=1; path=/; domain=.foo.com
Set-cookie: MC_CMP_ESKX=2gKL/yeamyA1qkgtCkbGTg==; path=/; expires=Tuesday,
27-Aug-02 08:04:38 GMT; domain=.foo.com
Set-cookie: MC_CMP_SX=diAxLjAga2lkIDIwMDIwMTE4MDIwMDAyMDM0Nw%3d%3d;
path=/_cqr; expires=Tuesday, 27-Aug-02 08:04:38 GMT; domain=name.foo.com
Set-cookie: MC_CMP_S=diAxLjAga2lkIDIwMDIwMjI3MDIwMDAxMDM1Ng%3d%3d-6tzX;
path=/_cqr; domain=name.foo.com
Set-cookie: MC_CMP_SLX=diAxLjAga2lkIDIwMDIwMTE4MDIwMD; path=/_cqr;
expires=Tuesday, 27-Aug-02 08:04:38 GMT; domain=name.foo.com
Set-cookie: MC_MS_LDC=1 aolcomprod 1 1014883477 0 1014883477 0; path=/ ;
domain=name.foo.com; expires=Fri, 31-Dec-2005 23:59:59 GMT;
Set-cookie: MCSS=aolcomprod; domain=.foo.com; path=/
Set-cookie: MC_CMP_SLX=diAxLjAga2lkIDIwMDIwMTE4MDIwMD; path=/_cqr;
expires=Tuesday, 27-Aug-02 08:04:38 GMT; domain=name.foo.com
Set-cookie: MC_CMP_AX=diAxLjAga2lkIDIwMDIwMTE4MDIwMDAyMDM0Nw%3d%3d;
path=/_cqr; expires=Tuesday, 27-Aug-02 08:04:38 GMT; domain=name.foo.com
Set-cookie: MC_CMP_A=diAxLjAga2lkIDIwMDIwMjI3MDIwMDAxMDM1Ng%3d%3d-3e;
path=/_cqr; domain=name.foo.com
Set-cookie: MC_CMP_SLX=; expires=Thu, 30-Oct-1980 16:00:00 GMT; path=/_cqr;
domain=.foo.com
Set-cookie: MC_CMP_A=; expires=Thu, 30-Oct-1980 16:00:00 GMT; path=/_cqr;
domain=my.name.foo.com
Set-cookie: MC_CMP_AX=; expires=Thu, 30-Oct-1980 16:00:00 GMT; path=/_cqr;
domain=my.name.foo.com

Here's how I'm filtering this (with PHP) to get "good" cookies. (This is
working in my particular situation -- I don't suggest that it would or
wouldn't work in EVERY situation by any means.)

1. Check the three MC_MS_LDC cookies. The one that's "good" does not have
dashes in the value.

2. Other than the MC_MS_LDC cookies, consider the cookies that do not have
empty values to be "good".

What was happening before I did this filtering was that the good values in
cookies like MC_CMP_SLX, MC_CMP_A, MC_CMP_AX were being cancelled out by the
empty ones at the bottom of the headers.

Also -- while I've trimmed down the ACTUAL values considerably for this
example, the MC_CMP_SLX cookie shows up three times -- two are identical,
the third is blank and has a different domain. I just need ONE of the two
identical ones.

To follow up on your question, the ones with trailing spaces don't seem to
be problematic.

Again, I don't suggest that the way I'm dealing with these cookies would
work in every situation on any site. It's just working to help me work
around this bug for the time being on the specific site I'm working with. :)
This is a recurring pattern -- something like the above happens every single
time I read the headers back from this SSL post. Duplicate cookies, some
with "bad" or incomplete values, some with good values. Some empty ones.
Similar but different domains.

Based on this manual filtering, I don't know how cURL would need to be
adjusted ... I haven't dug that deeply into the cURL source. (Not sure I'd
know what I was looking at anyway -- I'm not a seasoned C guy.)

-Clay

___________________________
Clay Loveless
Webmaster, Crawlspace
http://www.crawlspace.com/

> From: Daniel Stenberg <daniel_at_haxx.se>
> Reply-To: curl_at_contactor.se
> Date: Thu, 28 Feb 2002 09:07:46 +0100 (MET)
> To: Curl Mailinglist <curl_at_contactor.se>
> Subject: Re: Bugs with cookies
>
> On Wed, 27 Feb 2002, Clay Loveless wrote:
>
>> Looks like the problem persists with 7.9.5-pre4 ... After installing that
>> version, I'm still getting bogus "set-cookie" headers out of the header
>> dump file that results from my SSL POST.
>
> I've made some other cookie parser fixes in the CVS version. The trailing
> space fix I posted the other day was flawed too.
>
>> Since I've been working with this output for awhile now, I can read through
>> the dump file, look for the "good" cookies, separate them from the bad,
>> write out the good ones to a "cookiejar.txt" file, and then have all
>> subsequent requests (all NON-SSL) use that file for sending/receiving
>> cookies. All of that is working just fine.
>
> So which cookies are the "bad" ones? You mean the ones using trailing spaces
> in the values or the ones using the same name but a different domain as
> another cookie?
>
> I mean, based on your manual "filtering", how would curl need to be adjusted
> in order to do this filtering automaticly?
>
>> So -- looks like the bug I initially reported may just be relative to
>> reading back from SSL.
>>
>> Hope this helps ...
>
> It certainly helps, it does.
>
> --
> Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/
>
Received on 2002-02-28

This message: [ Message body ]
Next message: Clay Loveless: "Persistent connections and cookies"
Previous message: Blake Girardot: "7.9.5-pre4 tests on OS X 10.1.2"
In reply to: Daniel Stenberg: "Re: Bugs with cookies"
Next in thread: SM: "Re: Bugs with cookies"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]