httpie
Doesn't correctly handle storing cookies in session after redirect to different domain
After a redirect to a different domain, a cookie set using Set-Cookie without a Domain should become a cookie set only for the redirected domain, but HTTPie saves it in the session of the original domain.
Steps to reproduce:
-
Save
app.py&app2.py(Need Python 3+, Flask 1.1.0):app.py:from flask import Flask, redirect app = Flask(__name__) @app.route('/set') def set_(): return redirect("http://localhost:5001/callback")app2.py:from flask import Flask, make_response app = Flask(__name__) @app.route('/callback') def callback(): resp = make_response() resp.set_cookie("test", "test", max_age=3600) return resp -
Run both apps in two seperate terminals:
flask run FLASK_APP=app2.py flask run -p 5001 -
Run
http --session=foo -v -F http://localhost:5000/set -
The cookie will be saved in the session for
localhost:5000, and not forlocalhost:5001. Separete requests tohttp://localhost:5001will not send the cookie.
When using a session file instead (--session=./session.json), the cookie will be saved in the single session file and will be sent on subsequent requests but without taking the cookie domain into account which can be problematic for some sites and use cases.
See https://tools.ietf.org/html/rfc6265
I seem to be hitting this also.
I make a request to a domain X which wants to redirect me to a different authorisation domain A, along with a non-domain-specific cookie to use :
Location: https://A/SSO/redirect?redirect_uri=https://X/blah
Set-Cookie: sso=aabb12345678; Path=/; Max-Age=36000; Secure; HttpOnly; SameSite=None
But the following request to domain A fails to include that new cookie. If I examine the headers in the accompanying session file, I see the domain is wrongly explicitly set for this cookie!
"cookies": [
{
"domain": "X",
"expires": 1674173346,
"name": "sso",
"path": "/",
"secure": true,
"value": "aabb12345678"
}
