Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
API Bindings Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Incorrect handling of subdomain cookies.

From: Sergei Kuzmin <sergeikuzmin_at_gmail.com>
Date: Mon, 26 Sep 2016 18:40:26 -0700

Extra details:

curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8
libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
SSL libz TLS-SRP UnixSockets

on Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

On Mon, Sep 26, 2016 at 6:34 PM, Sergei Kuzmin <sergeikuzmin_at_gmail.com>
wrote:

> Hi all
>
> I recently tried to automate login into av.by. After login site sets .
> av.by cookies (note leading dot). However these cookies are stored as
> av.by (strict domain) so it doesn't work for sub-domain in consecutive
> call. Is it some security measure? Is there some well known workaround? At
> present I postfix the cookiejar after the call:
> sed -i -r 's/^av.by\tFALSE/.av.by\tTRUE/' av_by.cookiejar
>
> Interesting parts are in yellow:
>
> curl http://av.by/login -H 'Origin: http://av.by' -H 'Content-Type:
> application/x-www-form-urlencoded' -H 'Cache-Control: max-age=0' -H
> 'Referer: http://av.by/login' --data 'login_form_csrf=1111111111111
> 11111-1111111111111111111111111111&login=11111&password=1111
> 111111&submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8&remember=0&remember=1' -H
> 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language:
> en-US,en;q=0.8,ru;q=0.6,pl;q=0.4' -H 'Upgrade-Insecure-Requests: 1' -H
> 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36' -H 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
> -H 'Connection: keep-alive' --compressed -b av_by.cookiejar -c
> av_by.cookiejar -v
>
> * Connected to av.by (86.57.246.106) port 80 (#0)
> > POST /login HTTP/1.1
> > Host: av.by
> > Cookie: PHPSESSID=22222222222222222222222
> > Origin: http://av.by
> > Content-Type: application/x-www-form-urlencoded
> > Cache-Control: max-age=0
> > Referer: http://av.by/login
> > Accept-Encoding: gzip, deflate, sdch
> > Accept-Language: en-US,en;q=0.8,ru;q=0.6,pl;q=0.4
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/
> webp,*/*;q=0.8
> > Connection: keep-alive
> > Content-Length: 111
> >
> } [111 bytes data]
> * upload completely sent off: 111 out of 111 bytes
> < HTTP/1.1 302 Found
> < Server: nginx
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Expires: Thu, 1 Nov 1981 01:01:01 GMT
> < Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> < Pragma: no-cache
> * Added cookie avby_id="11111" for domain av.by, path /, expire
> 11111111111
> < Set-Cookie: avby_id=11111; expires=Mon, 1-Jan-2026 01:01:01 GMT; path=/;
> domain=.av.by
> * Added cookie avby_hash="123456789123456789123456789" for domain av.by,
> path /, expire 1111111111
> < Set-Cookie: avby_hash=123456789123456789123456789; expires=Mon,
> 1-Jan-2026 01:01:01 GMT; path=/; domain=.av.by
> * Replaced cookie avby_id="11111" for domain av.by, path /, expire
> 123512345 Set-Cookie: avby_id=11111; expires=Mon, 1-Jan-2026 01:01:01;
> path=/
> * Replaced cookie avby_hash="123456789123456789123456789" for domain av.by,
> path /, expire 1790298555
> < Set-Cookie: avby_hash=123456789123456789123456789; expires=Mon,
> 1-Jan-2026 01:01:01; GMT; path=/
> * Replaced cookie PHPSESSID="deleted" for domain av.by, path /, expire 1
> < Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
> * Added cookie PHPSESSID="1234512345" for domain av.by, path /, expire 0
> < Set-Cookie: PHPSESSID=1234512345
> < Location: http://av.by/profile
>
> Cookie jar after execution
> av.by FALSE / FALSE 11111111111 avby_id 11111
> av.by FALSE / FALSE 11111111111 avby_hash
> 123456789123456789123456789
> av.by FALSE / FALSE 0 PHPSESSID 1234512345
>
> First two lines are expected to start with ".av.by TRUE"
>
> Then site redirects to cars.av.by which doesn't have required cookies.
>
> Sergei
>
>
>
>
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-27