You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Chirag Dewan <ch...@ericsson.com> on 2013/12/09 08:01:56 UTC
Cookie spoofing issue using Commons Http Client 3.1
Hi all,
I am using Http Client 3.1 in one of my applications. I am using it for a post request.
My request flow is like this:
1) Client sends a login request.
2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
4) Server responds to the request.
5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
6) Server unauthorize the client.
It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
Thanks in advance.
Chirag
Re: Cookie spoofing issue using Commons Http Client 3.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2013-12-09 at 11:22 +0000, Chirag Dewan wrote:
> Hi Oleg,
>
> I understand that Oleg. But it’s a legacy application which cannot be upgraded at the moment, even though it was my first option as well.
>
I understand that, too. Apache HttpComponents is an all-volunteer,
community project and we simply have no resources to maintain more than
two concurrent branches (stable and dev).
Oleg
> Just in case,someone else has also faced a similar issue. It would be of great help.
>
> One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
>
> Thanks.
>
> Chirag
>
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Monday, December 09, 2013 4:36 PM
> To: HttpClient User Discussion
> Subject: Re: Cookie spoofing issue using Commons Http Client 3.1
>
> On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
> > Hi all,
> >
> > I am using Http Client 3.1 in one of my applications. I am using it for a post request.
> >
> > My request flow is like this:
> >
> > 1) Client sends a login request.
> >
> > 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
> >
> > 3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
> >
> > 4) Server responds to the request.
> >
> > 5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
> >
> > 6) Server unauthorize the client.
> >
> > It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
> >
> > Thanks in advance.
> >
> > Chirag
> >
>
> Chirag,
>
> HC 3.1 has been at end of life for several years now. It is neither being maintained or supported. It is very unlikely anyone would investigate this issue. Please consider upgrading to HC 4.3
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Cookie spoofing issue using Commons Http Client 3.1
Posted by Chirag Dewan <ch...@ericsson.com>.
Hi,
That worked. :)
Indeed the issue was with client adding its own cookies.
Thanks a lot!
Chirag
-----Original Message-----
From: thc202@gmail.com [mailto:thc202@gmail.com]
Sent: Monday, December 09, 2013 8:54 PM
To: HttpClient User Discussion
Subject: Re: Cookie spoofing issue using Commons Http Client 3.1
Hi.
> One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
(I will assume that the cookie management is already done in the
(proxy) client, a browser?)
Did you disable the cookie management in HttpClient? Otherwise both the (proxy) client and HttpClient will be sending its owns cookies (which seems to be the behaviour described in step #5, but it should be happening in all requests).
Note that the HttpClient shouldn't automatically follow HTTP redirects as the (proxy) client will/might not see all the "Set-Cookie" headers (this would explain why the "Cookie" headers contain different values in step #5, obviously, if a redirect happened in step #4 and it contained a "Set-Cookie" header).
To disable cookies in HttpClient:
httpClient.getParams().setCookiePolicy(CookiePolicy.IGNORE_COOKIES);
Let me know if any of the assumptions I've made is wrong.
HTH.
Best regards.
On 9 December 2013 11:22, Chirag Dewan <ch...@ericsson.com> wrote:
> Hi Oleg,
>
> I understand that Oleg. But it’s a legacy application which cannot be upgraded at the moment, even though it was my first option as well.
>
> Just in case,someone else has also faced a similar issue. It would be of great help.
>
> One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
>
> Thanks.
>
> Chirag
>
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Monday, December 09, 2013 4:36 PM
> To: HttpClient User Discussion
> Subject: Re: Cookie spoofing issue using Commons Http Client 3.1
>
> On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
>> Hi all,
>>
>> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
>>
>> My request flow is like this:
>>
>> 1) Client sends a login request.
>>
>> 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
>>
>> 3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
>>
>> 4) Server responds to the request.
>>
>> 5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
>>
>> 6) Server unauthorize the client.
>>
>> It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
>>
>> Thanks in advance.
>>
>> Chirag
>>
>
> Chirag,
>
> HC 3.1 has been at end of life for several years now. It is neither
> being maintained or supported. It is very unlikely anyone would
> investigate this issue. Please consider upgrading to HC 4.3
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Cookie spoofing issue using Commons Http Client 3.1
Posted by th...@gmail.com.
Hi.
> One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
(I will assume that the cookie management is already done in the
(proxy) client, a browser?)
Did you disable the cookie management in HttpClient? Otherwise both
the (proxy) client and HttpClient will be sending its owns cookies
(which seems to be the behaviour described in step #5, but it should
be happening in all requests).
Note that the HttpClient shouldn't automatically follow HTTP redirects
as the (proxy) client will/might not see all the "Set-Cookie" headers
(this would explain why the "Cookie" headers contain different values
in step #5, obviously, if a redirect happened in step #4 and it
contained a "Set-Cookie" header).
To disable cookies in HttpClient:
httpClient.getParams().setCookiePolicy(CookiePolicy.IGNORE_COOKIES);
Let me know if any of the assumptions I've made is wrong.
HTH.
Best regards.
On 9 December 2013 11:22, Chirag Dewan <ch...@ericsson.com> wrote:
> Hi Oleg,
>
> I understand that Oleg. But it’s a legacy application which cannot be upgraded at the moment, even though it was my first option as well.
>
> Just in case,someone else has also faced a similar issue. It would be of great help.
>
> One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
>
> Thanks.
>
> Chirag
>
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Monday, December 09, 2013 4:36 PM
> To: HttpClient User Discussion
> Subject: Re: Cookie spoofing issue using Commons Http Client 3.1
>
> On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
>> Hi all,
>>
>> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
>>
>> My request flow is like this:
>>
>> 1) Client sends a login request.
>>
>> 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
>>
>> 3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
>>
>> 4) Server responds to the request.
>>
>> 5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
>>
>> 6) Server unauthorize the client.
>>
>> It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
>>
>> Thanks in advance.
>>
>> Chirag
>>
>
> Chirag,
>
> HC 3.1 has been at end of life for several years now. It is neither being maintained or supported. It is very unlikely anyone would investigate this issue. Please consider upgrading to HC 4.3
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Cookie spoofing issue using Commons Http Client 3.1
Posted by Chirag Dewan <ch...@ericsson.com>.
Hi Oleg,
I understand that Oleg. But it’s a legacy application which cannot be upgraded at the moment, even though it was my first option as well.
Just in case,someone else has also faced a similar issue. It would be of great help.
One thing I forget to add which might of use, my application is acting as a proxy in here. It accepts requests from a client and proxies it to a server thus manually getting all the headers and setting the headers manually in the HttpClient.
Thanks.
Chirag
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: Monday, December 09, 2013 4:36 PM
To: HttpClient User Discussion
Subject: Re: Cookie spoofing issue using Commons Http Client 3.1
On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
> Hi all,
>
> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
>
> My request flow is like this:
>
> 1) Client sends a login request.
>
> 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
>
> 3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
>
> 4) Server responds to the request.
>
> 5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
>
> 6) Server unauthorize the client.
>
> It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
>
> Thanks in advance.
>
> Chirag
>
Chirag,
HC 3.1 has been at end of life for several years now. It is neither being maintained or supported. It is very unlikely anyone would investigate this issue. Please consider upgrading to HC 4.3
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Cookie spoofing issue using Commons Http Client 3.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
> Hi all,
>
> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
>
> My request flow is like this:
>
> 1) Client sends a login request.
>
> 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
>
> 3) Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
>
> 4) Server responds to the request.
>
> 5) Client sends another request with 2 session id Cookies,1 from the previous requests and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
>
> 6) Server unauthorize the client.
>
> It seems like Client is storing the session cookies,and sending 2 session cookies in the request and the server rejects the request based on invalid session id.
>
> Thanks in advance.
>
> Chirag
>
Chirag,
HC 3.1 has been at end of life for several years now. It is neither
being maintained or supported. It is very unlikely anyone would
investigate this issue. Please consider upgrading to HC 4.3
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org