cURL / Mailing Lists / curl-library / Single Mail

curl-library

why does curl silently discard expired cookies and can this be disabled?

From: <Guenter.Pusch_at_loewe.de>
Date: Tue, 18 Aug 2015 11:09:34 +0000

Dear all,

although the question seems quite straight forward I want to elaborate on this a bit more.

I'm developing software for TV receivers which support the MHEG5 interactive service (which is something comparable to HbbTV).
MHEG5 is standardized by ETSI ES 202 184, which specifies the following:
" 15.7.5 Cookie support
Receivers shall support the use of cookies via the Cookie request header and Set Cookie response header as defined by
RFC 6265 [32]. All cookies shall be stored transiently, regardless of any specified expiration date or age. [...]"

In our previous products we were using "libcurl.so.4.2.0" which didn't seem to bother whether cookies were expired or not. But in the currently used versions "libcurl.so.5.3.0" it has started to silently discard expired cookies which makes it now impossible to fulfill the above requirement.
I don't know how the "libcurl.so.x.y.z"-version maps to the official curl version. I therefore cannot tell from what sources my libcurl.s0.5.3.0 shared libarary originates. However, I compiled the sources of curl 7.28.0 and also got "libcurl.so.4.2.0" from that, which works as desired but makes me believe that library versions have no direct link to the curl version. And it may well be that the whole issue is just up to these "versions" and not to curl itself?

The whole thing became apparent when we changed the web server. They were running different PHP versions. Only the server running PHP 5.6.3 was sending a "max-age" attribute with the cookies (see below). The other with PHP 5.3 didn't.

HTTP/1.1 200 OK
Date: Mon, 06 Jul 2015 15:20:35 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1f mod_wsgi/4.4.1 Python/2.7.6 PHP/5.6.3
X-Powered-By: PHP/5.6.3
Set-Cookie: expires1=expiry1; path=/ukdtt2/IC032; domain=dtgtest.org
Set-Cookie: expires2=expiry2; expires=Mon, 06-Jul-2015 15:20:35 GMT; Max-Age=0; path=/ukdtt2/IC032; domain=dtgtest.org
Set-Cookie: expires3=expiry3; expires=Tue, 07-Jul-2015 15:20:35 GMT; Max-Age=86400; path=/ukdtt2/IC032; domain=dtgtest.org
Set-Cookie: expires4=expiry4; expires=Sun, 05-Jul-2015 15:20:35 GMT; Max-Age=-86400; path=/ukdtt2/IC032; domain=dtgtest.org
Set-Cookie: expires5=expiry5; expires=Mon, 06-Jul-2015 14:20:35 GMT; Max-Age=-3600; path=/ukdtt2/IC032; domain=dtgtest.org
Set-Cookie: expires6=expiry6; expires=Tue, 05-Jul-2016 15:20:35 GMT; Max-Age=31536000; path=/ukdtt2/IC032; domain=dtgtest.org
Content-Length: 11
Content-Type: text/plain;charset=UTF-8

When comparing "libcurl.so.5.3.0" and "libcurl.so.4.2.0" I then found that it depends on whether the "max-age" attribute is set for a cookie or not. If it is absent cookies with an expire time will always be kept. Only if the max-age has a negative value they will be discarded. Also, even if the "expired" attribute is in the past (and no max-age is present) cookies are still kept. So it's just the negative max-age causing trouble.
In other words: From the list above the cookies "expiry4" and "expiry5" are not provided to the application.

I think that in general RFC 6265 permits this behavior, but why not leave it to the application?

Finally, my questions are:
- is this behavior a curl build configuration issue? If yes, how is it unset?
- If not, is it possible to change curl, e.g. by adding a new CURL_OPTION to restore the "old" behaviour and let the application decide when to remove an expired cookie?

Kind regards,
Günter

----------------------

Günter Jorma Pusch
Team Leader/Gruppenleiter
DVB-Software

Loewe Technologies GmbH
Industriestr. 11
D-96317 Kronach
Tel.: +49 9261 99-915
Fax: +49 9261 99-378
mailto: guenter.pusch_at_loewe.de
visit: www.loewe.de

________________________________
Loewe steht seit ueber 90 Jahren fuer TOP-Qualitaet im Bereich Smart Home Entertainment. Der Grund dafuer ist: Made in Germany.

Loewe Technologies GmbH
Geschaeftsfuehrung: Mark Huesges, Dr. Boris Levin, Michael Pedersen, Christoph Schuelner
Sitz der Gesellschaft: Kronach
Amtsgericht Coburg: HRB 5443

Loewe Technologies GmbH
Board of Management: Mark Huesges, Dr. Boris Levin, Michael Pedersen, Christoph Schuelner
Location of the Company: Kronach
Inferior Court Coburg: HRB 5443

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-08-18

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Trouble with libcurl vs. old/incomplete TFTP servers"
Previous message: Razvan Cojocaru: "[PATCH] curl.h: added CURLINFO_LASTSOCKET_SAFE"
Next in thread: Daniel Stenberg: "Re: why does curl silently discard expired cookies and can this be disabled?"
Reply: Daniel Stenberg: "Re: why does curl silently discard expired cookies and can this be disabled?"
Reply: Rich Gray: "Re: why does curl silently discard expired cookies and can this be disabled?"
Maybe reply: Daniel Stenberg: "RE: why does curl silently discard expired cookies and can this be disabled?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]