search

httpie / cli

🥧 HTTPie CLI — modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more.
https://httpie.io
BSD 3-Clause "New" or "Revised" License
32.74k stars 3.68k forks source link

cookie is not being set #1463

Open gabrielsroka opened 1 year ago

gabrielsroka commented 1 year ago

Checklist

Minimal reproduction code and steps

see httpie debug output below from WSL. also repro'd on Ubuntu 22.10

Current result

sid cookie is not being set

Expected result

sid cookie should be set. it works correctly using Chrome, Firefox, curl, and Python/requests with or without a session.

import requests

base_url = 'https://gsroka-neto.oktapreview.com'
token = '...'

# Not using `session`:
r = requests.get(base_url + '/login/sessionCookieRedirect?redirectUrl=/&token=' + token)
sid = r.cookies.get('sid')
print(sid)
print(r.headers['set-cookie'])

u = requests.get(base_url + '/api/v1/users/me', cookies={'sid': sid}).json()
print(u['id'])

Debug output

Please re-run the command with --debug, then copy the entire command & output and paste both below:

I've redacted actual token and cookie values with XXX123.

$ https -vv --debug --session=./cookies.json "https://gsroka-neto.oktapreview.com/login/sessionCookieRedirect?redirectUrl=/&token=token123"

HTTPie 3.2.1
Requests 2.25.1
Pygments 2.11.2
Python 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
/usr/bin/python3
Linux 4.4.0-19041-Microsoft

<Environment {'apply_warnings_filter': <function Environment.apply_warnings_filter at 0x7f219af4e950>,
 'args': Namespace(),
 'as_silent': <function Environment.as_silent at 0x7f219af4e830>,
 'colors': 256,
 'config': {'__meta__': {'about': 'HTTPie configuration file',
                         'help': 'https://httpie.org/doc#config',
                         'httpie': '1.0.3'},
            'default_options': []},
 'config_dir': PosixPath('/home/gabrielsroka/.httpie'),
 'devnull': <property object at 0x7f219af3a980>,
 'is_windows': False,
 'log_error': <function Environment.log_error at 0x7f219af4e8c0>,
 'program_name': 'https',
 'quiet': 0,
 'rich_console': <functools.cached_property object at 0x7f219af357e0>,
 'rich_error_console': <functools.cached_property object at 0x7f219af37310>,
 'show_displays': True,
 'stderr': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'>,
 'stderr_isatty': True,
 'stdin': <_io.TextIOWrapper name='<stdin>' mode='r' encoding='utf-8'>,
 'stdin_encoding': 'utf-8',
 'stdin_isatty': True,
 'stdout': <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>,
 'stdout_encoding': 'utf-8',
 'stdout_isatty': True}>

<PluginManager {'adapters': [],
 'auth': [<class 'httpie.plugins.builtin.BasicAuthPlugin'>,
          <class 'httpie.plugins.builtin.DigestAuthPlugin'>,
          <class 'httpie.plugins.builtin.BearerAuthPlugin'>],
 'converters': [],
 'formatters': [<class 'httpie.output.formatters.headers.HeadersFormatter'>,
                <class 'httpie.output.formatters.json.JSONFormatter'>,
                <class 'httpie.output.formatters.xml.XMLFormatter'>,
                <class 'httpie.output.formatters.colors.ColorFormatter'>]}>

>>> requests.request(**{'auth': None,
 'data': RequestJSONDataDict(),
 'headers': <HTTPHeadersDict('User-Agent': b'HTTPie/3.2.1')>,
 'method': 'get',
 'params': <generator object MultiValueOrderedDict.items at 0x7f219ac00f20>,
 'url': 'https://gsroka-neto.oktapreview.com/login/sessionCookieRedirect?redirectUrl=/&token=token123'})

GET /login/sessionCookieRedirect?redirectUrl=/&token=token123 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: gsroka-neto.oktapreview.com
User-Agent: HTTPie/3.2.1

HTTP/1.1 302 Found
Connection: keep-alive
Content-Length: 0
Date: Fri, 30 Dec 2022 14:14:38 GMT
Public-Key-Pins-Report-Only: pin-sha256="jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc="; pin-sha256="axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8="; pin-sha256="SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE="; pin-sha256="ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"  
Server: nginx
Strict-Transport-Security: max-age=315360000; includeSubDomains
X-Robots-Tag: noindex,nofollow
cache-control: no-cache, no-store
content-language: en
content-security-policy: default-src 'self' gsroka-neto.oktapreview.com *.oktacdn.com; connect-src 'self' gsroka-neto.oktapreview.com gsroka-neto-admin.oktapreview.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com pendo-static-5391521872216064.storage.googleapis.com *.mtls.oktapreview.com gsroka-neto.kerberos.oktapreview.com https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' gsroka-neto.oktapreview.com *.oktacdn.com; style-src 'unsafe-inline' 'self' gsroka-neto.oktapreview.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com pendo-static-5391521872216064.storage.googleapis.com; frame-src 'self' gsroka-neto.oktapreview.com gsroka-neto-admin.oktapreview.com login.okta.com; img-src 'self' gsroka-neto.oktapreview.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com pendo-static-5391521872216064.storage.googleapis.com data: blob:; font-src 'self' gsroka-neto.oktapreview.com data: *.oktacdn.com fonts.gstatic.com; frame-ancestors 'self'
expect-ct: report-uri="https://oktaexpectct.report-uri.com/r/t/ct/reportOnly", max-age=0
expires: 0
location: https://gsroka-neto.oktapreview.com/
p3p: CP="HONK"
pragma: no-cache
set-cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, autolaunch_triggered=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, JSESSIONID=jession123; Path=/; Secure; HttpOnly, t=summer; Path=/, DT=dt123;Version=1;Path=/;Max-Age=63072000;Secure;Expires=Sun, 29 Dec 2024 14:14:38 GMT;HttpOnly, sid=sid123; Path=/; Secure
x-frame-options: SAMEORIGIN
x-okta-request-id: req123
x-rate-limit-limit: 850
x-rate-limit-remaining: 849
x-rate-limit-reset: 1672409738
x-xss-protection: 0

Additional information, screenshots, or code examples

note that the sid cookie appears twice in the set-cookie header: once at the beginning to clear it, once at the end to set it. i'm not sure if this is related.

i guess these are technically 2 set-cookie headers, but they're all joined with a ,, whereas curl, etc, show them as separate headers -- which is useful for debugging. is there a way to show these separately using httpie?

Edit:

https://www.rfc-editor.org/rfc/rfc6265

User agents MUST implement the more liberal processing rules defined in Section 5, in order to maximize interoperability with existing servers that do not conform to the well-behaved profile defined in Section 4.

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.