Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies carry over to different domain & don't expire #2186

Closed
max-te opened this issue Nov 21, 2022 · 4 comments
Closed

Cookies carry over to different domain & don't expire #2186

max-te opened this issue Nov 21, 2022 · 4 comments
Labels
help wanted

Comments

@max-te
Copy link

max-te commented Nov 21, 2022

To reproduce this bug, I've set up two temporary Cloudflare workers and I'm using the following scenario:

Feature: Requests with cookies

  Scenario: Cookies from another subdomain
    * url "https://karate-cookie.jmteegen.workers.dev/"
    * method get
    * status 200

    * url "https://karate-cookie-2.jmteegen.workers.dev/"
    * method get
    * status 200
    * match response == "Cookie: null"

The first domain sets two cookies, COOKIEA and COOKIEB, where COOKIEB should expire immediately. (It is a cookie header as you would set to delete a cookie):

14:24:37.912 [main] DEBUG com.intuit.karate - request:
1 > GET https://karate-cookie.jmteegen.workers.dev/
1 > Host: karate-cookie.jmteegen.workers.dev
1 > Connection: Keep-Alive
1 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.17)
1 > Accept-Encoding: gzip,deflate


14:24:38.071 [main] DEBUG com.intuit.karate - response time in milliseconds: 152
1 < 200
1 < Date: Mon, 21 Nov 2022 13:24:38 GMT
1 < Content-Type: text/plain;charset=UTF-8
1 < Content-Length: 18
1 < Connection: keep-alive
1 < Set-Cookie: COOKIEA=12345; Path=/; Secure; HttpOnly
1 < Set-Cookie: COOKIEB=; Version=1; Path=/; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; HttpOnly
1 < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mTZ8wAsWEgS3X6hzvQN9QtJ4%2Bg7OA1TKjcM07uYqy9EUo8Mdfv%2BMKZtiB3kkGqmRk7WLlBXIs7gFJm6x7Wm6mRrAG4OquHrmcTlx2wRFPv1jWwIlOE%2Bdkl2QCDtkTIJXWpDuemQGKjoPtz9gsASepyEyGgUT"}],"group":"cf-nel","max_age":604800}
1 < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
1 < Vary: Accept-Encoding
1 < Server: cloudflare
1 < CF-RAY: 76d9bf29db88ca43-HAM
1 < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Have some cookies!

Neither cookie should be used when sending a request to a different subdomain. COOKIEA because it is on the wrong domain, and COOKIEB because it is both on the wrong domain and expired. However, Karate 1.3.0 does send both of them:

14:24:38.078 [main] DEBUG com.intuit.karate - request:
2 > GET https://karate-cookie-2.jmteegen.workers.dev/
2 > Cookie: COOKIEA=12345; COOKIEB=
2 > Host: karate-cookie-2.jmteegen.workers.dev
2 > Connection: Keep-Alive
2 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.17)
2 > Accept-Encoding: gzip,deflate


14:24:38.124 [main] DEBUG com.intuit.karate - response time in milliseconds: 45
2 < 200
2 < Date: Mon, 21 Nov 2022 13:24:38 GMT
2 < Content-Type: text/plain;charset=UTF-8
2 < Content-Length: 31
2 < Connection: keep-alive
2 < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7VLlEiUiTcdxAzEENOuGv0TroyHU8yamGqF%2BVdRXAtzMaw4DtT3FSSPo2Cvyl3akiYpmUdnrnetSDnUTarU%2FAGpTKctwzYmt2CW7dag4NwfOmH7WQMVmok7EoZbABZj0QrHADj%2BoNoam6P8KmeHvX8%2FL68Ll43Q%3D"}],"group":"cf-nel","max_age":604800}
2 < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
2 < Vary: Accept-Encoding
2 < Server: cloudflare
2 < CF-RAY: 76d9bf2a4bd8ca4c-HAM
2 < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Cookie: COOKIEA=12345; COOKIEB=

14:24:38.140 [main] ERROR com.intuit.karate - src/test/java/cookie-bug.feature:11
* match response == "Cookie: null"
match failed: EQUALS
  $ | not equal (STRING:STRING)
  'Cookie: COOKIEA=12345; COOKIEB='
  'Cookie: null'
@ptrthomas
Copy link
Member

@max-te so there's some history for this. I'm tagging is as help-wanted: #2165

In the past we did try to "expire" cookies, but then decided to let karate just send everything, so that the user could set up invalid cookies as a negative case

I guess a workaround would be to remove cookies. I'm open to adding behavior to karate to somehow clear or delete cookies, any suggestions for syntax are welcome

@max-te
Copy link
Author

max-te commented Nov 21, 2022
edited
Loading

I suspected something like that. In my use-case server 1 is an auth server which issues api-tokens and sets some of its own cookies, and which are not part of the scope of my testing. Those cookies confuse server 2.

Maybe its necessry to distinguish between cookies set by Set-Cookie headers vs. user-set cookies? Still, I understand that this is hard to solve in a way which covers all use-cases.

Clearing all cookies (configure cookies = null) is a viable workaraound in my specific situation.

@ptrthomas
Copy link
Member

@max-te ah yes, configure cookies = null should do the trick, good to know it works

will leave this discussion open because I wonder if it makes sense to intro a way to "clear all cookies" but allow any new cookies to be honored. as of today, if we do * cookies null it is like a no-op, and * cookies { foo: 'bar' } would "append".

@ptrthomas
Copy link
Member

closing because when I thought about it more configure cookies = null can be done any-time and then new cookies can be added as a subsequent step, I was probably over-thinking this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@max-te @ptrthomas