cURL / Mailing Lists / curl-library / Single Mail


Re: Cookie Secure flag

From: Pierre Brico <>
Date: Thu, 18 Feb 2016 16:38:48 +0100

Hi Daniel and Ray,

Thanks for your reply and suggestions.

I understand why you don't want to implement such kind of feature in
libcurl but I don't like the proposed solutions:
Ray's one: customized modifications in libcurl in not a good idea
Daniel's one: the processing to generate the Cookies list (strings list and
not objects list), then parse it, then remove the "secure" attribute then
give it back to curl seems a waste of CPU. But no modification is necessary
which is a good thing.

My next question is: is it possible to intercept the HTTP header (probably
with callback function) to remove the "secure" flag BEFORE libcurl process

Thanks again for this wonderful library and your help !

On Thu, Feb 18, 2016 at 9:15 AM, Daniel Stenberg <> wrote:

> On Wed, 17 Feb 2016, Ray Satiro via curl-library wrote:
> So my question is: is it possible to tell libcurl to ignore the Secure
>>> Flag and process the Cookie as a "normal" cookie ?
>> I don't see that supported and I think it's unlikely it will be.
> I agree. In this day and age we have a problem on the general web with
> cookie leakage from HTTPS over to HTTP and there are already plans and
> drafts in the works for making it less likely to accur in the future. It
> would feel odd to then provide an official way for us to enable such a leak.
> You can override the behavior of the cookie parser quick and dirty to
>> include secure cookies in a particular host's cookie list even if the
>> connection is not secured, but you'll have to edit the source to do it.
> Another way to do it would probably be to use curl_easy_getinfo's
> CURLINFO_COOKIELIST to extract all the cookies, clear off the secure flags,
> flush the entire internal list of cookies and then bring the scrubbed list
> --
> /
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2016-02-18