Bug 111060 - [Curl] Session cookies should not be persistent.
Summary: [Curl] Session cookies should not be persistent.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-28 02:25 PST by peavo
Modified: 2013-03-01 11:28 PST (History)
2 users (show)

See Also:


Attachments
Patch (3.21 KB, patch)
2013-02-28 02:35 PST, peavo
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description peavo 2013-02-28 02:25:05 PST
Curl saves both persistent cookies, and session cookies to the cookie file.
The session cookies should be deleted before starting a new session.
Comment 1 peavo 2013-02-28 02:35:04 PST
Created attachment 190688 [details]
Patch
Comment 2 Brent Fulgham 2013-02-28 23:30:02 PST
Comment on attachment 190688 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review

The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION  is enabled. That this is correct?
Can you confirm?

> Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779
> +    curl_easy_cleanup(curl);

So, does this call cause cURL To discard  the session cookies?
Comment 3 peavo 2013-03-01 06:05:37 PST
(In reply to comment #2)
> (From update of attachment 190688 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=190688&action=review
> 
> The change looks fine, but I don't see that session cookies are being cleared out, unless the call to curl_easy_cleanup() is doing this when the CURLopt_COOKIESESSION  is enabled. That this is correct?
> Can you confirm?
> 
> > Source/WebCore/platform/network/curl/ResourceHandleManager.cpp:779
> > +    curl_easy_cleanup(curl);
> 
> So, does this call cause cURL To discard  the session cookies?

Yes, you are absolutely right.

The documentation states that when a cookie file is set (with CURLOPT_COOKIEJAR),
all known cookies will be written to this file when curl_easy_cleanup() is called.
Setting CURLOPT_COOKIESESSION to 1 before closing the handle will remove all session cookies before the cookie database is written to disk.
Also see http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (CURLOPT_COOKIEJAR and CURLOPT_COOKIESESSION).
Comment 4 Brent Fulgham 2013-03-01 10:47:03 PST
Comment on attachment 190688 [details]
Patch

R=me
Comment 5 WebKit Review Bot 2013-03-01 11:15:17 PST
Comment on attachment 190688 [details]
Patch

Clearing flags on attachment: 190688

Committed r144474: <http://trac.webkit.org/changeset/144474>
Comment 6 WebKit Review Bot 2013-03-01 11:15:20 PST
All reviewed patches have been landed.  Closing bug.
Comment 7 peavo 2013-03-01 11:28:24 PST
(In reply to comment #4)
> (From update of attachment 190688 [details])
> R=me

Thanks for reviewing ;)