I am trying to write a client to some web app. At one point it sends the following Set-cookie:
JSESSIONID=1BDC39CBF91C299C3330963D1EEFE399; Path=; HttpOnly; Secure, JSESSIONID=E6FFF3B159AFB9575D47662FC70DC161; Path=/; Secure; HttpOnly, XSESSIONID=b163abe6-bd6c-4381-9f68-01eeaee15a6c; Path=/; Secure; HttpOnly
It is unclear to me what is the meaning of having the same cookie name twice and what I am supposed to send back to the server?
I checked it with the following python code:
import sys
if sys.version_info.major == 2:
from Cookie import SimpleCookie
else:
from http.cookies import SimpleCookie
set_cookie = "JSESSIONID=1BDC39CBF91C299C3330963D1EEFE399; Path=; HttpOnly; Secure, JSESSIONID=E6FFF3B159AFB9575D47662FC70DC161; Path=/; Secure; HttpOnly, XSESSIONID=b163abe6-bd6c-4381-9f68-01eeaee15a6c; Path=/; Secure; HttpOnly"
cookies = SimpleCookie()
cookies.load(set_cookie)
for name in cookies.keys():
print("{} = {}".format(name, cookies[name].value))
for field in ['secure', 'httponly', 'path']:
print(" {}: {}".format(field, cookies[name][field]))
The python 2 code shows only one of the duplicate keys. The python 3 version does not recognize this at all.
$ /usr/bin/python cookie.py
XSESSIONID = b163abe6-bd6c-4381-9f68-01eeaee15a6c
secure: True
httponly: True
path: /
JSESSIONID = E6FFF3B159AFB9575D47662FC70DC161
secure: True
httponly: True
path: /
$ python3 cookie.py
So I would like to understand what is the meaning of having the same key twice and what should be sent back to the server?
It would be also nice to understand why does the Python 3 library disregard the whole string. What do I need to do to fix it?
Related
Firstly, I need to send requests to the API of the resource. The resource is protected by CloudFlare detecting system.
I cannot send any request. The response is 403 Forbidden.
No data, no cookies.
Firstly, the API request requires cookies in headers. I found the request that was sent to accept all cookies.
After that I copied the bash of request, switched off all headers and sent request through Insomnia. It returned me completed cookies.
When I send the identical request in code it returned me 403 Forbidden status and non-completed cookies.
After that I decided to check the difference between browser, Insomnia and Python requests. I used Fiddler4. Python request returned 200 OK when I send the request in Python and everything returns me completed cookies. But if I switch Fiddler off I have 403 status.
Result of sending Python request with Fiddler:
[200 OK]
__Host-ariregweb=g4q8icpEmmIdHnQmFSNsfHdNhLLsgISKE7XRzphrLiscb4pSIzrpRLm9aiLCHqXa; Domain=ariregister.rik.ee; HttpOnly; Path=/; SameSite=lax; Secure; __cf_bm=GIYOJNShc1kY79bPk7GG1U6T.jV6K4BG8DLQoc70NT8-1671428340-0-AcxNKFuuhvkmblvy/q4WPGEPezvLQUL8/k6NeylOmaX5awlf1L7eOWnc55DGMsyPzpv5YKUDL6w100KlzzjsJVE=; Domain=ariregister.rik.ee; expires=Mon, 19-Dec-22 06:09:00 GMT; HttpOnly; Path=/; SameSite=None; Secure; _cfuvid=0EIfdSb4ltpOgYzKuMthWVvN0x5L3kn_uCfhyvBEk34-1671428340155-0-604800000; Domain=ariregister.rik.ee; HttpOnly; Path=/; SameSite=None; Secure
Result of sending Python request without Fiddler:
[403 Forbidden]
__cf_bm=0h8pprOoE6nOtjrZt6MYx6l7_4DIxIPn1_BL_e7Um2s-1671430063-0-AbvFUsYR8fOTT0NnrO1B4lJVTziYD+x2pnPLx1IyGjsgC29mqBNk+9iXhw2b1ewJiL2Cyi/iaTUilt6uPIbrSnw=; Domain=ariregister.rik.ee; expires=Mon, 19-Dec-22 06:37:43 GMT; HttpOnly; Path=/; SameSite=None; Secure
Maybe someone had such kind of problem or has some ideas how to bypass it. Thanks a lot.
In AWS docs it says, you can set cookie to their domain like this:
Set-Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2QxMTExMTFhYmNkZWY4LmNsb3VkZnJvbnQubmV0L2dhbWVfZG93bmxvYWQuemlwIiwiQ29uZGl0aW9uIjp7IklwQWRkcmVzcyI6eyJBV1M6U291cmNlSXAiOiIxOTIuMC4yLjAvMjQifSwiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE0MjY1MDAwMDB9fX1dfQ__; Domain=d111111abcdef8.cloudfront.net; Path=/; Secure; HttpOnly
Set-Cookie: CloudFront-Signature=dtKhpJ3aUYxqDIwepczPiDb9NXQ_; Domain=d111111abcdef8.cloudfront.net; Path=/; Secure; HttpOnly
Set-Cookie: CloudFront-Key-Pair-Id=K2JCJMDEHXQW5F; Domain=d111111abcdef8.cloudfront.net; Path=/; Secure; HttpOnly
but my django code:
response.set_cookie(
'CloudFront-Policy',
'eyJTdGF0ZW1lbnQ...',
domain=settings.AWS_CLOUDFRONT_DOMAIN,
secure=True,
httponly=True
)
not setting the cookie to their domain. I know it is security issue, but why AWS mentions this in documentation? any help appreciated.
okay, at the end, the solution was to use cname with altername domain. :/ turned out to be the right way anyway.
I just want a better idea of what's going on here, I can of course "work around" the problem by using urllib2.
import urllib
import urllib2
url = "http://www.crutchfield.com/S-pqvJFyfA8KG/p_15410415/Dynamat-10415-Xtreme-Speaker-Kit.html"
# urllib2 works fine (foo.headers / foo.read() also behave)
foo = urllib2.urlopen(url)
# urllib throws errors though, what specifically is causing this?
bar = urllib.urlopen(url)
http://pae.st/AxDW/ shows this code in action with the exception/stacktrace. foo.headers and foo.read() work fine
stu#sente.cc ~ $: curl -I "http://www.crutchfield.com/S-pqvJFyfA8KG/p_15410415/Dynamat-10415-Xtreme-Speaker-Kit.html"
HTTP/1.1 302 Object Moved
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Location: /S-FSTWJcduy5w/p_15410415/Dynamat-10415-Xtreme-Speaker-Kit.html
Server: Microsoft-IIS/7.5
Set-Cookie: SESSIONID=FSTWJcduy5w; domain=.crutchfield.com; expires=Fri, 22-Feb-2013 22:06:43 GMT; path=/
Set-Cookie: SYSTEMID=0; domain=.crutchfield.com; expires=Fri, 22-Feb-2013 22:06:43 GMT; path=/
Set-Cookie: SESSIONDATE=02/23/2012 17:07:00; domain=.crutchfield.com; expires=Fri, 22-Feb-2013 22:06:43 GMT; path=/
X-AspNet-Version: 4.0.30319
HostName: cws105
Date: Thu, 23 Feb 2012 22:06:43 GMT
Thanks.
This server is both non-deterministic and sensitive to HTTP version. urllib2 is HTTP/1.1, urllib is HTTP/1.0. You can reproduce this by running curl --http1.0 -I "http://www.crutchfield.com/S-pqvJFyfA8KG/p_15410415/Dynamat-10415-Xtreme-Speaker-Kit.html"
a few times in a row. You should see the output curl: (52) Empty reply from server occasionally; that's the error urllib is reporting. (If you re-issue the request a bunch of times with urllib, it should succeed sometimes.)
I solved the Problem. I simply using now the urrlib instead of urllib2 and anything works fine thank you all :)
When i use python SimpleCookie object to pick up cookie from http headers, some exception occurs:
cookiestr = "a_em=[BU]co|12345678-901234567[DG]; Expires=Sat, 31 Dec 2016 17:09:50 GMT; Domain=.somesite.com; Path=/"
C = Cookie.SimpleCookie()
C.load(cookiestr)
print C
the output is:
Set-Cookie: a_em=; Domain=.somesite.com; expires=Sat,; Path=/
the cookie value and the cookie expires time is error!
how should i solve this?
RFC format for expires should be:
Expires=Sat, 31-Dec-2016 17:09:50 GMT
The full string should be (note quotes)
cookiestr = 'a_em="[BU]co|12345678-901234567[DG]"; Expires=Sat, 31-Dec-2016 17:09:50 GMT; Domain=.somesite.com; Path=/'
I want to get the domain of the cookie from the HTTP response. Code is:
cookie = Cookie.SimpleCookie()
cookie.load(cookie_string)
print 'cookie = ', cookie
this shows the cookie as
cookie= Set-Cookie: Cycle=MA==|MA==|MA==; Domain=.abc.xyz.net; expires=Tue, 05-Oct-2021 04:15:18 GMT; Path=/
I want to extract the domain from the above result.
I am trying
print cookie['Domain']
print cookie['Domain'].value
print cookie['Cycle']['Domain'].value
None of these work.
Thanks
try:
cookie['Cycle']['domain'] # lowercase domain !