search

janodvarko / firecookie

Automatically exported from code.google.com/p/firecookie
Other
0 stars 3 forks source link

urlencoding of cookies value #54

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I have encountered a problem when modifiying JSESSIONID cookies. When you
edit a cookie (even if you do not modify anything but just open the cookie
editor and close it again), it applyes urlencoding to its value. It is not
seen at the firecookie screen (the cookie seems as valid as before), but
when you send it to the server, it does not understand the cookie because
it contains the urlencoded version of ":" or "!" (I've tried with 
WebSphere and WebLogic). This is working as expected? Can this behaviour be
changed in anyway?

Original issue reported on code.google.com by odva...@gmail.com on 29 Oct 2009 at 2:24

GoogleCodeExporter commented 9 years ago 
Copied from an email send by Xavier Montes.

Original comment by odva...@gmail.com on 29 Oct 2009 at 2:26

GoogleCodeExporter commented 9 years ago 
What Firecookie version do you use?
Do you have an test case I could use to reproduce that behavior?

Thanks!
Honza

Original comment by odva...@gmail.com on 29 Oct 2009 at 2:27

GoogleCodeExporter commented 9 years ago 
hi,

u can edit cookie with value like, 
KqsxpyKGrhYCQQvbhfJF4zxltZCY1ShdWMnZqft5lqbZrkw7MTGR!759839802

then export cookies into file.
you'll see the cookies become 

KqsxpyKGrhYCQQvbhfJF4zxltZCY1ShdWMnZqft5lqbZrkw7MTGR%21759839802

weblogic will treat that as new session.

Original comment by tealees...@gmail.com on 30 Oct 2009 at 6:10

GoogleCodeExporter commented 9 years ago 
Hi,

tealeeseng has pointed exactly what the problem is. About the versions I use:

Firefox/3.5.4
Firecookie 0.9.1
Firebug 1.4.3

Yours, XMA

Original comment by x....@telefonica.net on 30 Oct 2009 at 12:47

GoogleCodeExporter commented 9 years ago 
for quick fix, you can replace attached copy of editCookie.js in 

C:\Documents and Settings\{$USER}\Application
Data\Mozilla\Firefox\Profiles\{RANDOM?}.default\extensions\firecookie@janodvarko
.cz\chrome\content\firecookie

the changes is at line 99 to,
var cookieValue = this.valueNode.value;

which suppose to fix issue 39

Original comment by tealees...@gmail.com on 3 Nov 2009 at 6:18

Attachments:

GoogleCodeExporter commented 9 years ago 
Hi tealeeseng,

I have modified editCookie and now I can play with JSESSIONs without problems.

Thanks a lot!

Yours, 

XMA

Original comment by x....@telefonica.net on 5 Nov 2009 at 11:51

GoogleCodeExporter commented 9 years ago 
I have created a test case for this here:
http://www.janodvarko.cz/firecookie/tests/issue54/issue54.php

However, the cookie comes to the browser already escaped.
So, eg. if the original value is "-!-" (without enclosing quotes)
the incoming value is always "-%21-" (without enclosing quotes)

What I am doing wrong?
Honza

Original comment by odva...@gmail.com on 12 Nov 2009 at 11:54

GoogleCodeExporter commented 9 years ago 
hi,
i don't know how to write firefox Add-ons from scratch. I only tried my luck on
searching firecookie source and looking for keywords, eg, escape. After made the
change on line 99, i got what I need.

My suggestion on the fix for issue 39 and issue 54 is,

only escape/unescape for ;

existing escape/unescape method might not fit the purpose?

Original comment by tealees...@gmail.com on 28 Nov 2009 at 8:40

GoogleCodeExporter commented 9 years ago 
I have seen a related problem with version 1.0.2.  If I enter a cookie value of
"a+b", it is urldecoded to "a b".  That would be fine if firecookie was 
consistently
urldecoding *everything*.  Then I could just enter %2b if I really want a "+".  
But
%2b is not urldecoded.

It seems that the "value" field needs to either let you enter a completely 
unencoded
value, or a completely raw value.  In an ideal world, you could toggle between 
the
raw and the unencoded values.

Original comment by jason.pr...@gmail.com on 12 May 2010 at 5:03

GoogleCodeExporter commented 9 years ago 
I have encountered this problem with a cookie value containing commas, which 
get URL
encoded by FireCookie v1.0.2
Applying the suggested change to line 99 solved the problem

Original comment by olivier....@gmail.com on 27 May 2010 at 9:00

GoogleCodeExporter commented 9 years ago 
Hi,

using firecookie 1.1.1 @Firefox 3.6.12 w/ Firebug 1.5.4 I encounter additional 
problems with cookie value escaping/encoding.

I've got to test some things with cookie values containing "=". It's Base64 
encoded stuff where "=" is used to pad the value to an appropriate length.

These cookies are sent as 'CookieName="CookieValue="' (without the single 
quotes).

They're sent back the very same way and according to RFC that's perfectly OK, 
as value van be a quoted string.

When creating or modifying one of these cookies the value gets changed in an 
incompatible way. 
The "=" is encoded to "%3D" plus the quotation is encoded to "%22". So the 
cookie finally sent is

CookieName=%22CookieValue%3D%22

I see the problem the "=" (among others) has to be encoded in general. But the 
only way to transfer this important (at least for Base64 encoded values!) 
character in a cookie is by putting the whole unescaped value into a quoted 
string.
Unescaped of course in this situation means "everything except '"' is not 
separately escaped"

What do you think?

Original comment by pitpa...@gmail.com on 27 Nov 2010 at 10:22

GoogleCodeExporter commented 9 years ago 
The "=" character does not need to be encoded, according to RFC 6265. It is 
possible to send raw base64 strings as cookie values.

Original comment by lord.ma...@gmail.com on 14 Jul 2011 at 9:02

GoogleCodeExporter commented 9 years ago 
This seems to still be the case with firebug 1.8.2 where the "=" gets url 
encoded as a %3. If anyone has a work around please let me know.

Original comment by mcbride...@gmail.com on 15 Sep 2011 at 6:11

GoogleCodeExporter commented 9 years ago 
Still an issue in 1.4

Symbols such as !, = and ~ get encoded.

Original comment by raven.de...@gmail.com on 8 May 2012 at 10:09

GoogleCodeExporter commented 9 years ago 
Issue 60 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:37

GoogleCodeExporter commented 9 years ago 
Issue 71 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:38

GoogleCodeExporter commented 9 years ago 
Issue 66 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:38

GoogleCodeExporter commented 9 years ago 
Issue 74 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:38

GoogleCodeExporter commented 9 years ago 
Issue 80 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:39

GoogleCodeExporter commented 9 years ago 
Issue 104 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:39

GoogleCodeExporter commented 9 years ago 
Issue 118 has been merged into this issue.

Original comment by sebastia...@gmail.com on 12 Jun 2012 at 8:39

GoogleCodeExporter commented 9 years ago 
Issue 127 has been merged into this issue.

Original comment by sebastia...@gmail.com on 24 Jun 2012 at 12:51

GoogleCodeExporter commented 9 years ago 
Note that Firecookie is integrated into Firebug since 1.10a11.

Regarding comment 7:
Instead of using setcookie() you need to use setrawcookie().

A test case for this is available at:

https://getfirebug.com/tests/manual/issues/5607/issue5607.php

Steps to reproduce:
1. Open Firebug on that page
2. Enable and switch to the Cookies panel
3. Reload the page
   => Two cookies will be listed, the second one unescaped
4. Right-click on that cookie and choose "Edit" from the context menu
5. Don't touch anything in the dialog and just press OK

=> The cookie value is escaped

Sebastian

Original comment by sebastia...@gmail.com on 24 Jun 2012 at 1:01

GoogleCodeExporter commented 9 years ago 
Moved to: Issue fbug:5608

Original comment by sebastia...@gmail.com on 24 Jun 2012 at 1:01