Bug 111060

Summary: [Curl] Session cookies should not be persistent.
Product: WebKit Reporter: peavo
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Unspecified   
Attachments:
Description Flags
Patch none

peavo
Reported 2013-02-28 02:25:05 PST
Curl saves both persistent cookies, and session cookies to the cookie file. The session cookies should be deleted before starting a new session.
Attachments
Patch (3.21 KB, patch)
2013-02-28 02:35 PST, peavo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
peavo
Comment 1 2013-02-28 02:35:04 PST
Created attachment 190688 [details] Patch
Brent Fulgham
Comment 2 2013-02-28 23:30:02 PST
Comment on attachment 190688 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION is enabled. That this is correct? Can you confirm? > Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779 > + curl_easy_cleanup(curl); So, does this call cause cURL To discard the session cookies?
peavo
Comment 3 2013-03-01 06:05:37 PST
(In reply to comment #2) > (From update of attachment 190688 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review > > The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION is enabled. That this is correct? > Can you confirm? > > > Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779 > > + curl_easy_cleanup(curl); > > So, does this call cause cURL To discard the session cookies? Yes, you are absolutely right. The documentation states that when a cookie file is set (with CURLOPT_COOKIEJAR), all known cookies will be written to this file when curl_easy_cleanup() is called. Setting CURLOPT_COOKIESESSION to 1 before closing the handle will remove all session cookies before the cookie database is written to disk. Also see http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (CURLOPT_COOKIEJAR and CURLOPT_COOKIESESSION).
Brent Fulgham
Comment 4 2013-03-01 10:47:03 PST
Comment on attachment 190688 [details] Patch R=me
WebKit Review Bot
Comment 5 2013-03-01 11:15:17 PST
Comment on attachment 190688 [details] Patch Clearing flags on attachment: 190688 Committed r144474: <http://trac.webkit.org/changeset/144474>
WebKit Review Bot
Comment 6 2013-03-01 11:15:20 PST
All reviewed patches have been landed. Closing bug.
peavo
Comment 7 2013-03-01 11:28:24 PST
(In reply to comment #4) > (From update of attachment 190688 [details]) > R=me Thanks for reviewing ;)
Note You need to log in before you can comment on or make changes to this bug.