cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3349227 ] secure attribute in cookie does not work with equals sign

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Fri, 01 Jul 2011 20:05:18 -0500

Bugs item #3349227, was opened at 2011-07-01 20:05
Message generated for change (Tracker Item Submitted) made by gnombat
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3349227&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: gnombat (gnombat)
Assigned to: Daniel Stenberg (bagder)
Summary: secure attribute in cookie does not work with equals sign

Initial Comment:
If an HTTPS server marks a cookie as secure with the "Secure" attribute, and it uses an equals sign, curl does not recognize the cookie as secure. This is best illustrated with an example: suppose the server returns the following 2 headers:

Set-Cookie: secure_without_equals=1; secure
Set-Cookie: secure_with_equals=1; secure=

Then suppose the server is accessed with curl:

curl --cookie-jar cookies-curl.txt https://SERVER

The resulting cookie jar is as follows:
...
... FALSE / TRUE 0 secure_without_equals 1
... FALSE / FALSE 0 secure_with_equals 1

With most other browsers and HTTP clients, both cookies are treated as secure. For example, with wget:

wget --save-cookies=cookies-wget.txt --keep-session-cookies -q -O- https://SERVER
...
... FALSE / TRUE 0 secure_with_equals 1
... FALSE / TRUE 0 secure_without_equals 1

This appears to be a problem in real-world applications; e.g., Microsoft servers sometimes return a Set-Cookie header with "secure=" in it.

$ curl -V
curl 7.21.7 (i686-pc-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM SSL libz

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3349227&group_id=976
Received on 2011-07-02

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET