curl-users
Re: using cookies
Date: Thu, 8 Jun 2006 12:05:44 -0600
On Mon, 5 Jun 2006, I wrote:
>I found curl's cookie jar stuff inadequate for the logins I want to do, especially for financial organizations that are much too paranoid about security through obscurity.
At 00:39 +0200 6/7/06, Daniel Stenberg wrote:
>It would be very interesting to get to know what particular cookie stuff that you've found curl incapable of. I do not share your experience.
My problem has been that some web developers, especially those involved with things financial, like to work with cookies using JavaScript or other unknown mechanisms to extract from or add to cookies from within html pages.
Things like mixing the content of a cookie with some piece of random code that is delivered in the html file. The result may be passed back in a POST or in an altered cookie. Sometimes a cookie sent by one server needs to be sent back to an entirely different site. I wonder if it's fiscal security or job security for the programmer.
I personally like perl for handling such things because I can maintain a hash of cookies that is easy to add to, examine, or change. When I pass the ball back to curl it's easy to send a string of modified cookies using the -b option. I tell curl to save the headers in temporary files that stay around for debugging. Reading them and extracting cookies with perl is trivial.
It's not curl's fault. No one should expect curl to stick its nose into a downloaded html file. PerlLib with a compiled executable would of course yield the same capabilities that I find I need but those programmers change things regularly so it's important to have easy-to-change and debugging-oriented scripts. What works for me is perl as the master calling curl as needed with temporary files that can be examined when something fails. Much better than perl's LWP module.
And I can develop on my Mac, with BBEdit worksheets, for use in a Linux box without even having a monitor there let alone a mouse and a decent editor.
Thanks for curl!!
Doug
-- Applescript syntax is like English spelling: Roughly, though not thoroughly, thought through.Received on 2006-06-08