Issue metadata
Sign in to add a comment
|
Network Requests send old cookies
Reported by
groo...@gmail.com,
Apr 3 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3061.0 Safari/537.36 Steps to reproduce the problem: 1. Login to local dev site, example localhost:8000 2. The server will send a response with a session cookie, example `loggedin=True;` 3. Logout from the dev site. The server will respond by also resetting the cookie, example `loggedin=;` 4. The cookie is removed from the browser 5. Make another request to the website 6. The expired cookie (not visible anymore from DevTool/Application/Cookies) is sent along with the new request with the old value `loggedin=True` What is the expected behavior? The browser should NOT send an old non-existent cookie What went wrong? The browser send old expired cookies. As you can see from the images attached even tough the cookie does not exist in the browser it is sent anyway (with an old value). This is not only a visual bug , the cookie is really sent with the http request because I could capture it from my backend application (see image 3). Did this work before? Yes Does this work in other browsers? Yes Chrome version: 59.0.3061.0 Channel: canary OS Version: OS X 10.11.6 Flash Version: Shockwave Flash 25.0 r0 I could reproduce this in local dev sites (running on localhost address). I could verify this also in chrome 56.0.2924.87 (Mac 64-bit) This seems to be related to an old bug I've reported about duplicated cookies: 596429 as I could see not yet fixed.
,
Apr 4 2017
,
Apr 4 2017
I think the main reason why this issue and issue 596429 will not get much attention is that you do not provide a reproducible test case or a URL that reproduces this. While net-internals logs are good, they cannot be debugged like the actual browser. My guess is that if you provide a URL that reproduces both of those issues (or a URL per issue), they will get the needed attention and will get fixed (or marked as WontFix, depending on the outcome).
,
Apr 4 2017
groobox@ could you please help us with the sample html test case or url and the expected behavior of this issue for further triage from TE-End . Thank You...
,
Apr 4 2017
The problem is that this is happening only on local urls as also explained in 596429, particularly: http://localhost:8000 I can't reproduce the html because it is a complex js application and I cannot disclose it during development. Please notice that deleting all the browser's cached data and stored cookies plus a browser restart has temporarily fixed this, but I am expecting this to come back anytime given that also 596429 comes back unexpectedly from time to time
,
Apr 4 2017
Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 4 2017
Is the site trying to overwrite a cookie set with the "Secure" flag with a cookie set by an HTTP request?
,
Apr 4 2017
#6 -
"loggedin" is not an HTTP-only cookie in your screenshot - could it be that your JavaScript code recreates it?
Try adding this to the beginning of your code -
(function ()
{
const {get, set} = Object.getOwnPropertyDescriptor(Document.prototype, "cookie");
Object.defineProperty(
document, "cookie",
{
get()
{
console.trace("Someone attempted to read a cookie");
return get.call(document);
},
set(value)
{
console.trace(value, 'was attempted to be set as a cookie');
set.call(document, value);
}
}
);
}());
This should log a message whenever document.cookie is touched and show a stack trace.
,
Apr 5 2017
groobox@ could you please respond to the comment #9 and let us know your observations.
,
Apr 5 2017
My javascript does some manipulation of the cookies. I don't use https, only http, the loggedin cookie is not httponly. About the js cookie manipulation, I read all the cookies and from time to time I set a cookie using javascript BUT it's never the `loggedin` cookie. This one is never manipulated by javascript, only read. Anyway after having purged the browser cache I can't reproduce the bug anymore..
,
Apr 5 2017
Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 5 2017
I think we'd need a net-internals log with cookie-capturing enabled to get some idea what's going on. Instructions here: https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details (You need to toggle the strip cookies option). To avoid leaking cookies from other sites, you should use a new profiles (Run chrome with --user-data-dir=wherever). Using incognito is not enough, since net-internals includes non-incognito requests. If you have cookies and/or URLs in the log you don't want to share, you can send me the log directly. If that still doesn't work for you, you could try and modify the log yourself (It's just a JSON file), but it's easy to miss stuff, given the shear size of log files, so I would not recommend relying on your own modifications for privacy. You could also try and set up a minimal repro. If none of this works for you, not sure we can make progress here, unfortunately.
,
Apr 25 2017
@groobox: Any respond to c#13? IF not, I'm afraid we're going to need to close the bug :-{.
,
Apr 25 2017
For the record, he did send me a log (And I was very slow in following up), but the log didn't include a reproduction of the issue, and he said he was unable to reproduce the issue after clearing the cache. Going to go ahead and close this. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Apr 3 2017