Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP Redirect (302) Doesn't Use Cookie in Following GET Request

Tags:

redirect

http

cookies

get

setcookie

Here is a question I have been researching for some time now.

I have a redirect that does not seem to be respecting a Set-Cookie attribute in a 302 Redirect.

Here are the request and response headers that I used wireshark to obtain. 

HTTP/1.1 302 Moved Temporarily\r\n
Connection: close\r\n
Location: http://192.168.1.1:8888/home/\r\n
Set-Cookie: foo=test_data; Domain=192.168.1.1; Path=/\r\n
\r\n

GET /home/ HTTP/1.1\r\n
Host: 192.168.1.1:8888\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
DNT: 1\r\n
\r\n

I sanitized the content just a bit, but nothing critical should have been modified. The point is no matter the browser I use, the cookie 'foo' is not put in the GET request following the 302. From what I have read, this is not expected behavior. Am I incorrect in believing this? Is there something that I am missing or doing wrong with the 302?

like image 225
Sierpwnski Avatar asked Mar 09 '23 03:03

Sierpwnski

1 Answers

In the question, Cookie header does not appear in the redirected HTTP request (GET http://192.168.1.1:8888/home). The root cause is: the cookie foo=test_data never exists. When it is delivered from server by Set-Cookie response header, it would be rejected by browser, as its Domain does not include the original server.

According to MDN:

A cookie belonging to a domain that does not include the origin server should be rejected by the user agent. The following cookie will be rejected if it was set by a server hosted on originalcompany.com.

Set-Cookie: qwerty=219ffwef9w0f; Domain=somecompany.co.uk; Path=/; Expires=Wed, 30 Aug 2019 00:00:00 GMT

For more accurate description, you can check RFC6265 section -4.1.2.3

This is designed with a good reason. If all server can Set-Cookie for all domain, it would be extremely easy to wipe out other website's cookie, which would be a disaster for internet.

like image 130
shaochuancs Avatar answered Mar 25 '23 00:03

shaochuancs
Sign in to Comment

Related questions

application/* Content-Type and charset attributes
Authenticate to Google Drive and download spreadsheet with Python urllib2/requests
Get response of url in nodejs (express/http)
REST Authorization: Username/Password in Authorization Header vs JSON body
Django/apache handle incomplete/cancelled http requests
Using Node's `response.end` method with promise
Mocking/Testing HTTP Get Request
Terminating or aborting an HTTP request
How to deal with "Unhandled 'error' event" error - NodeJS
RESTful API Design: PUT or POST for creating many-to-many relationships?
Add a customized header to Webbrowser control for all requests in C#?
(HTTPLog)-Static: isSBSettingEnabled false error and app is closing
Same representation for GET and PUT?
Multiple content length headers and multiple transfer encoding headers
What is the difference between a normal HTTP request and a REST request
node.js http: create persistent connection to host and sending request to several paths
Is it possible to have 2 methods (GET and POST) with the same route?
How to send a SAML Request?
How to set a Json response in suave webpart
Post Data is not recieved on destination URL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!