Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't correctly handle storing cookies in session after redirect to different domain #1004

Open
segevfiner opened this issue Dec 10, 2020 · 1 comment
Open

Doesn't correctly handle storing cookies in session after redirect to different domain #1004

segevfiner opened this issue Dec 10, 2020 · 1 comment
Labels
bug Something isn't working sessions

Comments

@segevfiner
Copy link

After a redirect to a different domain, a cookie set using Set-Cookie without a Domain should become a cookie set only for the redirected domain, but HTTPie saves it in the session of the original domain.

Steps to reproduce:

  1. Save app.py & app2.py (Need Python 3+, Flask 1.1.0):

    app.py:

    from flask import Flask, redirect


app = Flask(__name__)


@app.route('/set')
def set_():
    return redirect("http://localhost:5001/callback")

    app2.py:

    from flask import Flask, make_response


app = Flask(__name__)


@app.route('/callback')
def callback():
    resp = make_response()
    resp.set_cookie("test", "test", max_age=3600)
    return resp

  2. Run both apps in two seperate terminals:

    flask run

FLASK_APP=app2.py flask run -p 5001

  3. Run http --session=foo -v -F http://localhost:5000/set

  4. The cookie will be saved in the session for localhost:5000, and not for localhost:5001. Separete requests to http://localhost:5001 will not send the cookie.

When using a session file instead (--session=./session.json), the cookie will be saved in the single session file and will be sent on subsequent requests but without taking the cookie domain into account which can be problematic for some sites and use cases.

See https://tools.ietf.org/html/rfc6265
@jkbrzt jkbrzt added bug Something isn't working sessions labels Dec 21, 2020
@ducaale ducaale mentioned this issue Apr 10, 2022
Closed
@tomtastic
Copy link

I seem to be hitting this also.

I make a request to a domain X which wants to redirect me to a different authorisation domain A, along with a non-domain-specific cookie to use :

Location: https://A/SSO/redirect?redirect_uri=https://X/blah
Set-Cookie: sso=aabb12345678; Path=/; Max-Age=36000; Secure; HttpOnly; SameSite=None

But the following request to domain A fails to include that new cookie.
If I examine the headers in the accompanying session file, I see the domain is wrongly explicitly set for this cookie!

    "cookies": [
        {
            "domain": "X",
            "expires": 1674173346,
            "name": "sso",
            "path": "/",
            "secure": true,
            "value": "aabb12345678"
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working sessions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomtastic @jkbrzt @segevfiner