cURL / Mailing Lists / curl-library / Single Mail


Bug report: cookies and redirection

From: Ben Combee <>
Date: Wed, 9 Apr 2008 16:56:45 -0500

Here's one problem I saw with libcurl 7.17.1 (hadn't retried with
7.18.1 but didn't see anything in change notes that seemed like it
would affect this). I used both CURLOPT_COOKIE and
CURLOPT_FOLLOWLOCATION for a handle. In watching the HTTP traffic,
the cookie I'd set for the original URL also got sent to the
redirected URL. For example, if redirected to, the cookie would be sent to both even
though it's only valid for the original domain.

This seems like a security hole -- I'd expect the cookie to be cleared
if a redirection happened and it now refers to a different hostname.

Ideally, I'd like the ability to alter the cookie for the new URL, but
there's no "I redirected, change things now" callback. There is a
header callback which exposes the Location header, so is it safe to
call curl_easy_setopt(CURLOPT_COOKIE) then to affect what gets sent to
the next connection?

Received on 2008-04-10