Bug 111060

Summary: [Curl] Session cookies should not be persistent.
Product: WebKit Reporter: peavo
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description peavo 2013-02-28 02:25:05 PST
Curl saves both persistent cookies, and session cookies to the cookie file.
The session cookies should be deleted before starting a new session.
Comment 1 peavo 2013-02-28 02:35:04 PST
Created attachment 190688 [details]
Patch
Comment 2 Brent Fulgham 2013-02-28 23:30:02 PST
Comment on attachment 190688 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review

The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION  is enabled. That this is correct?
Can you confirm?

> Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779
> +    curl_easy_cleanup(curl);

So, does this call cause cURL To discard  the session cookies?
Comment 3 peavo 2013-03-01 06:05:37 PST
(In reply to comment #2)
> (From update of attachment 190688 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review
> 
> The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION  is enabled. That this is correct?
> Can you confirm?
> 
> > Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779
> > +    curl_easy_cleanup(curl);
> 
> So, does this call cause cURL To discard  the session cookies?

Yes, you are absolutely right.

The documentation states that when a cookie file is set (with CURLOPT_COOKIEJAR),
all known cookies will be written to this file when curl_easy_cleanup() is called.
Setting CURLOPT_COOKIESESSION to 1 before closing the handle will remove all session cookies before the cookie database is written to disk.
Also see http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (CURLOPT_COOKIEJAR and CURLOPT_COOKIESESSION).
Comment 4 Brent Fulgham 2013-03-01 10:47:03 PST
Comment on attachment 190688 [details]
Patch

R=me
Comment 5 WebKit Review Bot 2013-03-01 11:15:17 PST
Comment on attachment 190688 [details]
Patch

Clearing flags on attachment: 190688

Committed r144474: <http://trac.webkit.org/changeset/144474>
Comment 6 WebKit Review Bot 2013-03-01 11:15:20 PST
All reviewed patches have been landed.  Closing bug.
Comment 7 peavo 2013-03-01 11:28:24 PST
(In reply to comment #4)
> (From update of attachment 190688 [details])
> R=me

Thanks for reviewing ;)