Open ecclejau opened 1 year ago
The issue is that the set_ok_domain
function from the DefaultCookiePolicy
from the cookiejar
library does not allow a mismatch between request host and cookie domain.
In this code snippet below, the set_ok
method has been overridden to always return True
, effectively allowing any cookie to be set regardless of the request host and cookie domain match.
It's important to keep in mind that this should not be used in production.
You can however verify that it is indeed the DefaultCookiePolicy
, which prevents such use-cases, as the empty string in the domain.
import requests
from http import cookiejar
class DangerouslyAllowEverything(cookiejar.CookiePolicy):
def set_ok(self, *args, **kwargs):
return True
netscape = True
rfc2965 = False
session = requests.session()
session.cookies.set_policy(DangerouslyAllowEverything())
response = session.get("http://localhost")
Using requests to access an API hosted on an application server we noticed that cookies were not added to the cookie jar in the session.
It seems that after an upgrade to the application server framework it adds a
domain=;
cookie-attribute to the cookies in the response.Expected Result
The cookie to be added to the jar
Actual Result
The cookie is dropped.
Reproduction Steps
Requirements:
PyHamcrest==2.0.2
requests==2.28.1
System Information