curl-library
Re: Incorrect handling of subdomain cookies.
Date: Mon, 26 Sep 2016 18:40:26 -0700
Extra details:
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8
libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
SSL libz TLS-SRP UnixSockets
on Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
On Mon, Sep 26, 2016 at 6:34 PM, Sergei Kuzmin <sergeikuzmin_at_gmail.com>
wrote:
> Hi all
>
> I recently tried to automate login into av.by. After login site sets .
> av.by cookies (note leading dot). However these cookies are stored as
> av.by (strict domain) so it doesn't work for sub-domain in consecutive
> call. Is it some security measure? Is there some well known workaround? At
> present I postfix the cookiejar after the call:
> sed -i -r 's/^av.by\tFALSE/.av.by\tTRUE/' av_by.cookiejar
>
> Interesting parts are in yellow:
>
> curl http://av.by/login -H 'Origin: http://av.by' -H 'Content-Type:
> application/x-www-form-urlencoded' -H 'Cache-Control: max-age=0' -H
> 'Referer: http://av.by/login' --data 'login_form_csrf=1111111111111
> 11111-1111111111111111111111111111&login=11111&password=1111
> 111111&submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8&remember=0&remember=1' -H
> 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language:
> en-US,en;q=0.8,ru;q=0.6,pl;q=0.4' -H 'Upgrade-Insecure-Requests: 1' -H
> 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36' -H 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
> -H 'Connection: keep-alive' --compressed -b av_by.cookiejar -c
> av_by.cookiejar -v
>
> * Connected to av.by (86.57.246.106) port 80 (#0)
> > POST /login HTTP/1.1
> > Host: av.by
> > Cookie: PHPSESSID=22222222222222222222222
> > Origin: http://av.by
> > Content-Type: application/x-www-form-urlencoded
> > Cache-Control: max-age=0
> > Referer: http://av.by/login
> > Accept-Encoding: gzip, deflate, sdch
> > Accept-Language: en-US,en;q=0.8,ru;q=0.6,pl;q=0.4
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/
> webp,*/*;q=0.8
> > Connection: keep-alive
> > Content-Length: 111
> >
> } [111 bytes data]
> * upload completely sent off: 111 out of 111 bytes
> < HTTP/1.1 302 Found
> < Server: nginx
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Expires: Thu, 1 Nov 1981 01:01:01 GMT
> < Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> < Pragma: no-cache
> * Added cookie avby_id="11111" for domain av.by, path /, expire
> 11111111111
> < Set-Cookie: avby_id=11111; expires=Mon, 1-Jan-2026 01:01:01 GMT; path=/;
> domain=.av.by
> * Added cookie avby_hash="123456789123456789123456789" for domain av.by,
> path /, expire 1111111111
> < Set-Cookie: avby_hash=123456789123456789123456789; expires=Mon,
> 1-Jan-2026 01:01:01 GMT; path=/; domain=.av.by
> * Replaced cookie avby_id="11111" for domain av.by, path /, expire
> 123512345 Set-Cookie: avby_id=11111; expires=Mon, 1-Jan-2026 01:01:01;
> path=/
> * Replaced cookie avby_hash="123456789123456789123456789" for domain av.by,
> path /, expire 1790298555
> < Set-Cookie: avby_hash=123456789123456789123456789; expires=Mon,
> 1-Jan-2026 01:01:01; GMT; path=/
> * Replaced cookie PHPSESSID="deleted" for domain av.by, path /, expire 1
> < Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
> * Added cookie PHPSESSID="1234512345" for domain av.by, path /, expire 0
> < Set-Cookie: PHPSESSID=1234512345
> < Location: http://av.by/profile
>
> Cookie jar after execution
> av.by FALSE / FALSE 11111111111 avby_id 11111
> av.by FALSE / FALSE 11111111111 avby_hash
> 123456789123456789123456789
> av.by FALSE / FALSE 0 PHPSESSID 1234512345
>
> First two lines are expected to start with ".av.by TRUE"
>
> Then site redirects to cars.av.by which doesn't have required cookies.
>
> Sergei
>
>
>
>
>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-27