Serious CookieContainer bug?

Question

Am I missing something here or is this a bug in the CookieContainer?

I'm adding 3 cookies to the container and then I call the GetCookieHeader function for 2 urls:

CookieContainer cc = new CookieContainer();

cc.Add(new Cookie("Cookie1", "1", "/a", "test.com"));
cc.Add(new Cookie("Cookie2", "2", "/a/0/", "test.com"));
cc.Add(new Cookie("Cookie3", "3", "/a/1/", "test.com"));

var result1 = cc.GetCookieHeader(new Uri("http://test.com/a/1/list"));
Assert.AreEqual("Cookie3=3; Cookie1=1", result1);

var result2 = cc.GetCookieHeader(new Uri("http://test.com/a/0/list"));
Assert.AreEqual("Cookie2=2; Cookie1=1", result2);

The problem is the last assertion which throws an exception as the returned header is only "Cookie2=2". I don't see any reason why the Cookie1 cookie is omitted there - according to RFC6265 it should return two cookies similar to the first assertion above, shouldn't it?

A couple of remarks:

• The cookies are all in the container so it's not the adding that's the problem but the GetHeader function.

• This behaviour stays the same when adding 4, 5 etc. cookies: Only a path matching the last added cookie will include the cookie for the base path!

• The behaviour changes when removing all "a" in the paths and using only "/", "/0/" and "/1/" as paths for the 3 cookies and "http://test.com/1/list" and "http://test.com/0/list" in the assertion urls). All the assertions then succeed - I would expect the same behaviour with the "a"!

PS: Let me add the relevant part from the spec:

A request-path path-matches a given cookie-path if at least one of the following conditions holds:

- The cookie-path and the request-path are identical.

- The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").

- The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie-path is a %x2F ("/") character.

So to me this is clearly a bug...?

Answer 1

I believe I found the problem. In the System.Net.CookieContainer class in function InternalGetCookies(Uri) around lines 700-730 there's an iteration over the paths. After the first path is found, those cookies are added and the iteration is then breaked and only the values for "/" are additionally being added!

In other words: You only get the cookies from the first matching path and those from "/". To me this is a clear misbehaviour and therefore a bug - or I don't understand the RFC I mentioned above.