cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Cookie Secure flag

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 17 Feb 2016 18:29:34 -0500

On 2/17/2016 5:19 PM, Pierre Brico wrote:
>
> Hello,
>
> I've a question about the usage of libcurl with Secure Flag on Cookie.
>
> I'm writing a injector tool to perform benchmark on web application.
> This tool is based on libcurl and libevent.
>
> The web application isn't exposed directly to the web but uses a F5
> ASM for security purposes. This F5 appliance takes the HTTPS flow,
> process it from a security point of view and then forward it as HTTP
> to the web server.
>
> USER <=> INTERNET <=> F5 <=> APPLICATION
> HTTPS HTTPS HTTP
>
> For my injection tool, I would like to avoid using the F5 and connect
> directly to the application server. But the application is sending
> Cookie with Secure flag enabled (which is working with the F5 but not
> using direct connection HTTP).
>
> So my question is: is it possible to tell libcurl to ignore the Secure
> Flag and process the Cookie as a "normal" cookie ?
>

I don't see that supported and I think it's unlikely it will be. You can
override the behavior of the cookie parser quick and dirty to include
secure cookies in a particular host's cookie list even if the connection
is not secured, but you'll have to edit the source to do it. The cookies
when read/written from the cookie file will still have their original
secure flag.

https://github.com/curl/curl/blob/curl-7_47_1/lib/cookie.c#L1049-L1053

example:

diff --git a/lib/cookie.c b/lib/cookie.c
index c542476..e90ce82 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1059,7 +1059,8 @@ struct Cookie *Curl_cookie_getlist(struct
CookieInfo *c,
         date AND that if the cookie requires we're secure we must only
         continue if we are! */
      if((!co->expires || (co->expires > now)) &&
- (co->secure?secure:TRUE)) {
+ (Curl_raw_equal(host, "the-host-to-ignore-secure-flag") ||
+ (co->secure?secure:TRUE))) {

/* now check if the domain is correct */
if(!co->domain ||

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-18

This message: [ Message body ]
Next message: Ray Satiro via curl-library: "Re: libcurl library routines"
Previous message: Gene Moore via curl-library: "Re: libcurl library routines"
In reply to: Pierre Brico: "Cookie Secure flag"
Next in thread: Daniel Stenberg: "Re: Cookie Secure flag"
Reply: Daniel Stenberg: "Re: Cookie Secure flag"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]