ureq icon indicating copy to clipboard operation
ureq copied to clipboard

Published 20 hours ago verified publisher icon algesten

Redirects cause multiple Cookie headers to be sent

Open dotdash opened this issue 2 years ago • 3 comments

When following a redirect, the Cookie header is retained, but then in Unit::new(), a new Cookie header is created from the contents of the cookie store. Therefore, each redirect adds another Cookie header.

[2023-05-11T14:40:16Z DEBUG ureq::unit] writing prelude: GET / HTTP/1.1
    Host: retracted
    User-Agent: ureq/2.6.2
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    accept-encoding: gzip
    Cookie: ***
    Cookie: ***
    Cookie: ***
    Cookie: ***

This violates https://httpwg.org/specs/rfc6265.html#cookie which says:

When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.

dotdash avatar May 11 '23 14:05 dotdash

Hi Björn! Welcome to ureq!

This does indeed seem wrong. We should fix it.

algesten avatar May 12 '23 18:05 algesten

Hi, should be resolved with #608 , or not?

PizlaTheDeveloper avatar May 15 '23 13:05 PizlaTheDeveloper

I was bitten by this. The site I'm accessing has some redirects (within the same domain) while checking credentials. Unfortunately, if the client duplicates the session cookie authorization will fail. Took me a while to figure that out.

dotdash's fix works for me.

alexkingnz avatar Jun 01 '23 13:06 alexkingnz

Closing since we're moving to ureq 3.x. It is probably fixed there.

algesten avatar Aug 13 '24 18:08 algesten