5

Here is a question I have been researching for some time now.

I have a redirect that does not seem to be respecting a Set-Cookie attribute in a 302 Redirect.

Here are the request and response headers that I used wireshark to obtain. 

HTTP/1.1 302 Moved Temporarily\r\n
Connection: close\r\n
Location: http://192.168.1.1:8888/home/\r\n
Set-Cookie: foo=test_data; Domain=192.168.1.1; Path=/\r\n
\r\n

GET /home/ HTTP/1.1\r\n
Host: 192.168.1.1:8888\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
DNT: 1\r\n
\r\n

I sanitized the content just a bit, but nothing critical should have been modified. The point is no matter the browser I use, the cookie 'foo' is not put in the GET request following the 302. From what I have read, this is not expected behavior. Am I incorrect in believing this? Is there something that I am missing or doing wrong with the 302?

Sierpwnski
  • 53
  • 1
  • 1
  • 3

1 Answers1

8

In the question, Cookie header does not appear in the redirected HTTP request (GET http://192.168.1.1:8888/home). The root cause is: the cookie foo=test_data never exists. When it is delivered from server by Set-Cookie response header, it would be rejected by browser, as its Domain does not include the original server.

According to MDN:

A cookie belonging to a domain that does not include the origin server should be rejected by the user agent. The following cookie will be rejected if it was set by a server hosted on originalcompany.com.

Set-Cookie: qwerty=219ffwef9w0f; Domain=somecompany.co.uk; Path=/; Expires=Wed, 30 Aug 2019 00:00:00 GMT

For more accurate description, you can check RFC6265 section -4.1.2.3

This is designed with a good reason. If all server can Set-Cookie for all domain, it would be extremely easy to wipe out other website's cookie, which would be a disaster for internet.

Community
  • 1
  • 1
shaochuancs
  • 15,342
  • 3
  • 54
  • 62
  • Thank you for this response. I have read that page several times and never noticed that crucial detail. Even then, this makes it easy to understand. Thanks. – Sierpwnski Sep 07 '17 at 14:28
  • as it pertains to this question, crucially it's because the domain in the set-cookie has no port number, and the domain in the Location has port 8888 this makes them effectively different domains. – Evan Carroll Mar 27 '23 at 15:48