-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookies with "Domain=localhost" aren't getting stored in session file #602
Comments
It seems to be a behavior inherited from |
Related #143 |
I just ran into the same problem (httpie not saving cookie in session when domain is set to localhost). Is there a workaround within httpie? The only way I can fix it is by not sending a domain in the cookie when serving from localhost: $domain = (getenv('HTTP_HOST') == 'localhost' ? null : getenv('HTTP_HOST')); |
'localhost' isn't valid for cookies. A valid domain name should be set. See https://curl.se/rfc/cookie_spec.html for more information. Short story, localhost is not a valid hostname. What I would suggest is to avoid using "localhost" and rather set a valid domain like "project.dev" in your hosts file. Hope that clarify. regards, edit: answer is partially wrong, see bellow for more. |
Hi Ousret, The Netscape cookie spec doesn't mention
If you check the list of public suffixes, Httpie may decide to block cookies for You can test that
setcookie("testcookie", "testvalue", time() + 3600, "/", "localhost", false, true);
curl -c cookies.txt http://localhost/set_cookie.php
curl -b cookies.txt http://localhost/read_cookie.php
{"testcookie":"testvalue"} TL;DR:
Sorry for the long comment, I wanted to get it right. PS: |
Great & pertinent analysis. I was wrong then, Indeed Now, as I said, HTTPie depends on external libraries (incl base for standard library Python) for this: from requests.cookies import RequestsCookieJar, remove_cookie_by_name And the standard library does handle this case. Either HTTPie drop the standard library or somehow "circumvent" the said limitation. Now as you said, HTTPie is free of "not carrying" about this domain. I don't have strong opinion on the topic.
I merely said that as a solution to unblock this. Not to state a standard way of doing things. regards, |
Do you have any evidence that HTTPie is the only user agent not accepting this? |
I created a test case in pure python using the There is some discussion at pfs/requests issue #5977 which passes the blame to Python's CookieJar.extract_cookies:
The python/cpython issue #90233 is tracking this:
And has apparently been resolved with PR #30108: “ bpo-46075: Allow for explicit domains in CookieJar” in 2022, included in python v3.11. However, I'm using v3.12 and the issue still exists, so perhaps I've followed up the wrong branch of issues? Once I realized this is a python bug, it's easy to find much discussion of it online, and everyone has different ways of resolving it. One example is this code in the Pylons project that takes
No, all I can say is that I've been developing on localhost since 2003, and cookies always work fine in every user agent I tried, until now. |
I may consider adding this to Niquests directly, and thus making this issue fixed in #1531 regards, |
The standard library does not allow this special domain. Researches showed that a valid domain should have at least two dots (e.g. abc.com. and xyz.tld. but not com.). Public suffixes cannot be used as a cookie domain for security reasons, but as `localhost` isn't one we are explicitly allowing it. Reported in httpie/cli#602 `RequestsCookieJar` set a default policy that circumvent that limitation, if you specified a custom cookie policy then this fix won't be applied.
The standard library does not allow this special domain. Researches showed that a valid domain should have at least two dots (e.g. abc.com. and xyz.tld. but not com.). Public suffixes cannot be used as a cookie domain for security reasons, but as `localhost` isn't one we are explicitly allowing it. Reported in httpie/cli#602 `RequestsCookieJar` set a default policy that circumvent that limitation, if you specified a custom cookie policy then this fix won't be applied.
It should be published in the next minor of Niquests. |
…ance (#124) 3.6.5 (2024-05-22) ------------------ **Fixed** - Support `localhost` as a valid domain for cookies. The standard library does not allow this special domain. Researches showed that a valid domain should have at least two dots (e.g. abc.com. and xyz.tld. but not com.). Public suffixes cannot be used as a cookie domain for security reasons, but as `localhost` isn't one we are explicitly allowing it. Reported in httpie/cli#602 `RequestsCookieJar` set a default policy that circumvent that limitation, if you specified a custom cookie policy then this fix won't be applied. **Changed** - Lazy load the OCSP extension in order to improve the import performance. **Removed** - Class variable `disable_thread` in `AsyncSession` that is no longer relevant since the native asyncio implementation. (PR #122)
If I use httpie to make a call that returns cookies to a localhost address, such as:
which sends back a header like this:
but the
session.json
only includes the following:If I try this exact same process with the same code hosted at
somedomain.com
, it works perfectly. For example:which sends back a header like this:
and the
session.json
includes the following:Is there any way to get it to work with localhost? Or is this a bug?
The text was updated successfully, but these errors were encountered: