cURL / Mailing Lists / curl-library / Single Mail


Re: Cookie Secure flag

From: Ray Satiro via curl-library <>
Date: Wed, 17 Feb 2016 18:29:34 -0500

On 2/17/2016 5:19 PM, Pierre Brico wrote:
> Hello,
> I've a question about the usage of libcurl with Secure Flag on Cookie.
> I'm writing a injector tool to perform benchmark on web application.
> This tool is based on libcurl and libevent.
> The web application isn't exposed directly to the web but uses a F5
> ASM for security purposes. This F5 appliance takes the HTTPS flow,
> process it from a security point of view and then forward it as HTTP
> to the web server.
> For my injection tool, I would like to avoid using the F5 and connect
> directly to the application server. But the application is sending
> Cookie with Secure flag enabled (which is working with the F5 but not
> using direct connection HTTP).
> So my question is: is it possible to tell libcurl to ignore the Secure
> Flag and process the Cookie as a "normal" cookie ?

I don't see that supported and I think it's unlikely it will be. You can
override the behavior of the cookie parser quick and dirty to include
secure cookies in a particular host's cookie list even if the connection
is not secured, but you'll have to edit the source to do it. The cookies
when read/written from the cookie file will still have their original
secure flag.


diff --git a/lib/cookie.c b/lib/cookie.c
index c542476..e90ce82 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1059,7 +1059,8 @@ struct Cookie *Curl_cookie_getlist(struct
CookieInfo *c,
         date AND that if the cookie requires we're secure we must only
         continue if we are! */
      if((!co->expires || (co->expires > now)) &&
- (co->secure?secure:TRUE)) {
+ (Curl_raw_equal(host, "the-host-to-ignore-secure-flag") ||
+ (co->secure?secure:TRUE))) {

        /* now check if the domain is correct */
        if(!co->domain ||

List admin:
Received on 2016-02-18