GitHub cookiefile

Question

Since Git uses cURL for HTTP, I am able to have a file ~/.netrc [1] like this:

machine github.com
login 89z
password [Personal access token]

However it seems that another option is available, using cookies [2]. It looks like the syntax would be like this:

[http]
   saveCookies = true
   cookiefile = C:/cookie.txt

My question is, can this be used to push to GitHub? If so, how would I create the cookie file?

score 1 · Accepted Answer · edited Nov 02 '21 at 11:20

The reason I wanted to move away from Netrc, was because not all languages have built-in support to parse. At any rate, I found that the spec [1] and one popular implementation [2] just assume the tokens are separated by whitespace. So if you have control over the Netrc file, then you can just put each entry on its own line, then it's very easy to parse. Here is example with Go:

package main

import (
   "fmt"
   "net/http"
   "os"
)

func netrc(addr string) (*http.Request, error) {
   home, err := os.UserHomeDir()
   if err != nil { return nil, err }
   file, err := os.Open(home + "/_netrc")
   if err != nil { return nil, err }
   defer file.Close()
   var login, pass string
   fmt.Fscanf(file, "default login %v password %v", &login, &pass)
   req, err := http.NewRequest("GET", addr, nil)
   if err != nil { return nil, err }
   req.SetBasicAuth(login, pass)
   return req, nil
}

func main() {
   req, err := netrc("https://api.github.com/rate_limit")
   if err != nil {
      panic(err)
   }
   res, err := new(http.Client).Do(req)
   if err != nil {
      panic(err)
   }
   fmt.Println(res)
}

score 1 · Answer 2 · answered Mar 30 '21 at 01:05

No, this feature cannot be used to push to GitHub. GitHub requires that you use Basic authentication for pushes over HTTPS, and a cookie is not Basic authentication.

This feature exists because some corporate proxies require it to work correctly and perform authentication, and it exists only for that purpose. Because web browsers have additional security measures that are imposed on cookies that most non-web browser user agents don't have, it's much less secure to use cookies as a form of authentication outside of a web browser, in addition to the fact that it is also much more poorly supported.

While you can use the .netrc file for this, using a credential manager is preferred because most credential managers store your data in an encrypted format instead of in plain text on disk.

It depends on what operating system you're running. On Windows, there is also `wincred`; on Linux, there is `libsecret`; and macOS has `osxkeychain`. `libsecret` usually needs to be compiled by hand on most distros, though. — bk2204, Mar 30 '21 at 01:12

score 0 · Answer 3 · answered Aug 01 '23 at 06:33

Check if GCM (Git Credential Manager) v2.2.0 (July 2023) can help in your case.

It describes the problem in issue 1160

Could you please make GCM read cookie files in libcurl format as well as the [Git command}(https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpcookieFile)?
When I issue an OAuth2 token by GCM, the communication to the path /oauth/ is not working well because it is not Git that GCM wraps, but GCM that does not support cookies accesses it.
I want to use this because I need to access the Git server behind the Reverse Proxy with Authenticator for a special reason.

And this is now implemented with PR 1251

I added code to support httpCookieFile.
If httpCookieFile is set in gitconfig, GCM will add cookie header to request headers such as requests about OAuth2.

Note:

This does not support http.saveCookies because when it is set, built-in git will update cookie and gcm need not to update.

If you want git via reverse proxy authentication, you can use this (https://github.com/miya789/git-via-reverse-proxy-authn). The structure image is like this: Git CLI verification via SAML SSO

GitHub cookiefile

3 Answers3