cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Cookie jar handling in redirects

From: Charles Romestant <cromestant_at_gmail.com>
Date: Wed, 1 Apr 2015 12:20:54 -0400

On Tue, Mar 31, 2015 at 3:10 PM, Charles Romestant <cromestant_at_gmail.com>
wrote:

> Hello,
> I've been messing around with this for a few days, trying to test a custom
> oauth flow with no user interraction if some authentication headers are
> present.
> This flow basically moves from page to page setting cookes and finally
> returning to a specific callback URL.
> Now, this flow in the browser works ( tested it) and in postman also , but
> I would love to leave an automated test with curl CLI running somewhere.
> In my tests, I see the redirections being followed properly, but the
> cookies are behaving a bit wonky.
> Let me explain:
>
> This is my command :
> curl -v -H "X-MSISDN-HASHED: ux2gcxCxLBcmBo4END_OF_HASH" -H "X-MSISDN:
> 5959ENDOFFvALUE" "
> https://pre-prod.id.myserver.com/oauth/v2/authorize?redirect_uri=http%3A%2F%2Fopenidtest.mycloud.net%3A3000%2Fcallback&client_id=oc3AOm2KTU92rG6Yzs7jAD74DUdTuuHO&scope=openid%20mobileid&login_hint=&prompt=none&response_type=code"
> -c cookies.txt -L >/dev/null
>
>
>
> As you can see I have a specific header and its hash (secret hashed),
> these , in normal circumstances, are added by a specific network element on
> non SSL traffic on my net. So the flow goes from [https]URL_/authorize
> ->[HTTP]URL_ /openid -->[HTTPS]URL/other --> CALLBACK
>
> moving from https to http just to allow the network element to add the
> headers at one point of the flow.
>
> So the problem here is that I see the cookie being set and then unset by
> curl ( full output [redacted for privacy of my comp] below)
>
>
> I can see the cookie being set:
> * Added cookie myserver_SESSION="" for domain pre-prod.id.myserver.com,
> path /, expire 1427845458
>
> < Set-cookie: myserver_SESSION = 22db4aad-8084-4094-c592-d8e5bad8756b;
> Max-Age=18000; Version=1; path=/
>
> but then I see on the second request ( following the 302 redirect)
> > Cookie: myserver_SESSION=
> then on the third request it my server sets another cookie, but this one
> is also ignored by curl ( as evidenced by the content of the cookie file
> pasted at the end).
>
>
> in advance, thank you for your help.
>
>
> Charles-Romestant-MacBook-Air:~ cromestant$ time curl -v -H
> "X-MSISDN-HASHED: ux2gcxCxLBcmBo4END_OF_HASH" -H "X-MSISDN:
> 5959ENDOFFvALUE" "
> https://pre-prod.id.myserver.com/oauth/v2/authorize?redirect_uri=http%3A%2F%2Fopenidtest.myservercloud.net%3A3000%2Fcallback&client_id=oc3AOm2KTU92rG6Yzs7jAD74DUdTuuHO&scope=openid%20mobileid&login_hint=&prompt=none&response_type=code"
> -c cookies.txt -L >/dev/null
>
> * Hostname was NOT found in DNS cache
>
> % Total % Received % Xferd Average Speed Time Time Time
> Current
>
> Dload Upload Total Spent Left
> Speed
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* Trying 54.236.147.89...
>
> * Connected to pre-prod.id.myserver.com (54.236.147.89) port 443 (#0)
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>
> * Server certificate: id.myserver.com
>
> * Server certificate: Thawte SSL CA
>
> * Server certificate: thawte Primary Root CA
>
> > GET /oauth/v2/authorize?redirect_uri=http%3A%2F%
> 2Fopenidtest.myservercloud.net%3A3000%2Fcallback&client_id=oc3AOm2KTU92rG6Yzs7jAD74DUdTuuHO&scope=openid%20mobileid&login_hint=&prompt=none&response_type=code
> HTTP/1.1
>
> > User-Agent: curl/7.37.1
>
> > Host: pre-prod.id.myserver.com
>
> > Accept: */*
>
> > X-MSISDN-HASHED: ux2gcxCxLBcmBo4END_OF_HASH
>
> > X-MSISDN: 5959ENDOFFvALUE
>
> >
>
> < HTTP/1.1 302 Found
>
> < Access-Control-Allow-Credentials: true
>
> < Access-Control-Allow-Headers:
> Authorization,Content-Type,Accept,Origin,X-Requested-With,X-CSDKVersion
>
> < Access-Control-Allow-Methods: OPTIONS,GET,POST
>
> < Access-Control-Allow-Origin:
>
> < Access-Control-Max-Age: 86400
>
> < Cache-Control: no-store
>
> < Location: http://pre-prod.id.myserver.com/openid?auth_flow=
>
> < Pragma: no-cache
>
> * Added cookie myserver_SESSION="" for domain pre-prod.id.myserver.com,
> path /, expire 1427845458
>
> < Set-cookie: myserver_SESSION = 22db4aad-8084-4094-c592-d8e5bad8756b;
> Max-Age=18000; Version=1; path=/
>
> < Content-Length: 0
>
> < Connection: keep-alive
>
> <
>
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
>
> * Connection #0 to host pre-prod.id.myserver.com left intact
>
> * Issue another request to this URL: '
> http://pre-prod.id.myserver.com/openid?auth_flow='
>
> * Found bundle for host pre-prod.id.myserver.com: 0x7f8a59601850
>
> * Hostname was NOT found in DNS cache
>
> * Trying 54.208.60.119...
>
> * Connected to pre-prod.id.myserver.com (54.208.60.119) port 80 (#1)
>
> > GET /openid?auth_flow= HTTP/1.1
>
> > User-Agent: curl/7.37.1
>
> > Host: pre-prod.id.myserver.com
>
> > Accept: */*
>
> > Cookie: myserver_SESSION=
>
> > X-MSISDN-HASHED: ux2gcxCxLBcmBo4END_OF_HASH
>
> > X-MSISDN: 5959ENDOFFvALUE
>
> >
>
> < HTTP/1.1 302 Found
>
> < Access-Control-Allow-Origin:
>
> < Content-Type: application/json
>
> < Location: https://pre-prod.id.myserver.com/openid?auth_flow=
>
> < Content-Length: 125
>
> < Connection: keep-alive
>
> <
>
> * Ignoring the response-body
>
> { [data not shown]
>
> 100 125 100 125 0 0 147 0 --:--:-- --:--:-- --:--:--
> 147
>
> * Connection #1 to host pre-prod.id.myserver.com left intact
>
> * Issue another request to this URL: '
> https://pre-prod.id.myserver.com/openid?auth_flow='
>
> * Found bundle for host pre-prod.id.myserver.com: 0x7f8a59601850
>
> * Re-using existing connection! (#0) with host pre-prod.id.myserver.com
>
> * Connected to pre-prod.id.myserver.com (54.236.147.89) port 443 (#0)
>
> > GET /openid?auth_flow= HTTP/1.1
>
> > User-Agent: curl/7.37.1
>
> > Host: pre-prod.id.myserver.com
>
> > Accept: */*
>
> > Cookie: myserver_SESSION=
>
> > X-MSISDN-HASHED: ux2gcxCxLBcmBo4END_OF_HASH
>
> > X-MSISDN: 5959ENDOFFvALUE
>
> >
>
> < HTTP/1.1 200 OK
>
> < Access-Control-Allow-Origin: *
>
> < Cache-Control: no-cache, must-revalidate
>
> < Content-Type: text/html
>
> < Date: Tue, 31 03 2015 18:44:18 GMT
>
> < Pragma: no-cache
>
> * Replaced cookie myserver_SESSION="" for domain pre-prod.id.myserver.com,
> path /, expire 1427845458
>
> < Set-cookie: myserver_SESSION =d16dbaba-79f9-4b03-b801-b5f004ee716d;
> PROFILE-id=deleted; Max-Age=18000; Version=1; path=/
>
> < X-Powered-By: Express
>
> < Content-Length: 13529
>
> < Connection: keep-alive
>
> <
>
> { [data not shown]
>
> 100 13529 100 13529 0 0 13926 0 --:--:-- --:--:-- --:--:--
> 13926
>
> * Connection #0 to host pre-prod.id.myserver.com left intact
>
>
>
> real 0m0.987s
>
> user 0m0.034s
>
> sys 0m0.017s
>
> Charles-Romestant-MacBook-Air:~ cromestant$ cat cookies.txt
>
> # Netscape HTTP Cookie File
>
> # http://curl.haxx.se/docs/http-cookies.html
>
> # This file was generated by libcurl! Edit at your own risk.
>
> pre-prod.id.myserver.com FALSE / FALSE 1427845458 myserver_SESSION
>
> --
> MSc. Charles M. Romestant F.
>
>
> Merci de penser à l'environnement avant d'imprimer cet e-mail
> Please think about the environment before you print this e-mail
> Por favor piense en el medio ambiente antes de imprimir este e-mail
>
>

-- 
MSc. Charles M. Romestant F.
Merci de penser à l'environnement avant d'imprimer cet e-mail
Please think about the environment before you print this e-mail
Por favor piense en el medio ambiente antes de imprimir este e-mail
Found more information and created a bug report
https://github.com/bagder/curl/issues/195

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-01

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: SHA2 failed"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]