At 10:03 -0800 11/16/07, jon_at_linertia.com wrote:
> > The Set-Cookie lines are all coming from the server. Curl is correctly
> > updating its cookie collection because the server is telling it to.
>
>Yes, but in firefox, it's using cookie XXXX. That's why something is
>weird. When I try to login using firefox it's using cookie XXXX while
>curl is trying to use cookie YYYY, which is why it's not working
>correctly.

I am regularly frustrated by sites that use JavaScript, or some other equivalent, to create and/or modify cookies taking data from the html page delivered. Often the required details are buried in a hidden <form> cell but they can also be in comments within the HTML or in some silly web bug that looks like a .gif or .png but is quite short and is really just a string.

One particular site that's bothering me right now is an apparently random string of over 2000 characters that gets sent back as a POST but it could well be a cookie generated or modified in JavaScript. It somehow accesses the system date/time function. It has to be right and it changes with each successive page requested.

Some programmers think that security can come from obfuscation but what they really do is cause me never to come back, even if I have to change brokers.

Curl's cookie manager came about after I started so I don't use it but I do seem to remember a problem or too with cookie overwriting being confused in the cookie-jar. I had the code all written to read and handle the headers saved in a -D specified place and I do have to open and read HTML documents in order to simulate modifications to cookies that are made by JavaScript. Perl makes that kind of thing fairly easy but I still wish I could strangle some of the web programmers or their supervisors.

<http://macnauchtan.com/software/FinpMod/FinpMod.html> requires some knowledge of perl but it does link to downloadable perl code that contains the cookie code I use.

*********
In this case it is possible that the reply with the POST is effectively being rejected for some other missing item, like a -A user agent or a referrer with a -H, and treating the attempted POST as a fresh new request from someone else. The PHP prefix on the cookie name in a way indicates use of canned PHP modules as opposed to badly conceived attempts at security.

-- 
--> From the U S of A, the only socialist country that refuses to admit it. <--