You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Joseph Jupin <jo...@fe77.com> on 2007/12/06 18:10:09 UTC
Problem with HttpClient and cookies...
Oh, the dreaded matching Cookies when calling a post to a site that's
looking for them. Unfortunately, I've fallen into this trap and need
a little help getting out - maybe with a few pointers somewhere,
whatever.
Okay, first off - yes, I've read the documentation for newbies, the
quick start and have even dug into the src code for HttpClient - hell,
I even overloaded a few of the classes (CookieSpec and Cookie) to get
my call to recognize the cookies being set. It's all been for naught
- sort of...
Here's the gist of the problem:
Cookies are not enabled on your browser. Please adjust this in your
security preferences before continuing
yep - that's what I get back no matter what I do now. yes, I make
sure the cookies look like a valid session from a browser. I've gone
into firefox and pulled out all the cookies made for this domain - and
mimic'd each and every one.
Yes, I've tried emulating different Browsers. My current one is set
to Mozilla 5.0.
I've gotten rid of the dread httpOnly tag by re-writing the
CookieSpecBase class to ignore this parameter. From what I can tell,
the site only sends it - it never tries to recover it - and the cookie
itself doesn't even seem to store it as an attribute of the session.
So, has anyone else seen this message - or could maybe direct me to
possible solutions?
The next thing I'm going to try is to attach a mechanism to watch how
the cookie is formatted coming down and installed on a browser and see
if it differs much from mine - and - vice versa - how the cookie looks
going up and seeing if I match it.
many, many thanx for reading my partial rant/ plea for help!
;-)
peace. JOe...
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: Problem with HttpClient and cookies...
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2007-12-06 at 09:10 -0800, Joseph Jupin wrote:
> Oh, the dreaded matching Cookies when calling a post to a site that's
> looking for them. Unfortunately, I've fallen into this trap and need
> a little help getting out - maybe with a few pointers somewhere,
> whatever.
>
> Okay, first off - yes, I've read the documentation for newbies, the
> quick start and have even dug into the src code for HttpClient - hell,
> I even overloaded a few of the classes (CookieSpec and Cookie) to get
> my call to recognize the cookies being set. It's all been for naught
> - sort of...
>
> Here's the gist of the problem:
>
> Cookies are not enabled on your browser. Please adjust this in your
> security preferences before continuing
>
> yep - that's what I get back no matter what I do now. yes, I make
> sure the cookies look like a valid session from a browser. I've gone
> into firefox and pulled out all the cookies made for this domain - and
> mimic'd each and every one.
>
> Yes, I've tried emulating different Browsers. My current one is set
> to Mozilla 5.0.
>
> I've gotten rid of the dread httpOnly tag by re-writing the
> CookieSpecBase class to ignore this parameter. From what I can tell,
> the site only sends it - it never tries to recover it - and the cookie
> itself doesn't even seem to store it as an attribute of the session.
>
> So, has anyone else seen this message - or could maybe direct me to
> possible solutions?
>
> The next thing I'm going to try is to attach a mechanism to watch how
> the cookie is formatted coming down and installed on a browser and see
> if it differs much from mine - and - vice versa - how the cookie looks
> going up and seeing if I match it.
>
> many, many thanx for reading my partial rant/ plea for help!
>
> ;-)
>
> peace. JOe...
>
Joe,
A little more technical details like HttpClient version, cookie spec
used or, better, a wire/context log of the HTTP session would increase
the changes of us being able to help you.
Have you looked at the Browser Compatibility section of the cookie
guide?
http://jakarta.apache.org/httpcomponents/httpclient-3.x/cookies.html
Oleg
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: Problem with HttpClient and cookies...
Posted by sebb <se...@gmail.com>.
On 06/12/2007, Joseph Jupin <jo...@fe77.com> wrote:
> On Thu, 6 Dec 2007 17:29:13 +0000
> sebb <se...@gmail.com> wrote:
> ...
> >> > Here's the gist of the problem:
> >> >
> >> > Cookies are not enabled on your browser. Please adjust this in
> >> >your
> >> > security preferences before continuing
> >> >
> >> > yep - that's what I get back no matter what I do now. yes, I make
> >> > sure the cookies look like a valid session from a browser. I've
> >> >gone
> >> > into firefox and pulled out all the cookies made for this domain -
> >> >and
> >> > mimic'd each and every one.
> >>
> >> You can't normally re-use cookies from another session.
> >>
>
> ummm - why not? they're nothing but name-value pairs, rite?
> So, if I copy those values - I should be able to mimic what's been
> put in there, rite? Most of the time, the cookies are only written at
> the beginning and then the next times they're just read for things
> like timeout parameters, login values, etc. So, mimic-ing one
> shouldn't be that big a deal, I would think.
For security reasons, cookie values that represent sessions are
normally some "random" string to prevent them being guessed. The
server will normally expire them after a short while, and may perform
other legitimacy checks (e.g. match against IP address that was used
when the cookie was generated).
> Anyhoo - I'll look into that - but I think you missed the point to my
> message. The message being returned is that the site is thinks that
> cookies are not turned on! Sooooo - is there some parameter or
> setting that needs to be set in the CookieSpec or Client to let it
> know that cookies are turned on? How exactly does this work?
The server might not find the correct cookie name or the correct
value, or it may want cookies provided as a single line rather than
multiple headers.
> Just so you know - I've mapped the set-cookie calls and they're all
> read and properly set - I output both the name and the attribute value
> and compare against the cached values - each time it was a perfect
> match.
> other than maybe a time differential issue or time expiration problem,
> I can't see that my cookie creation is the problem - I believe it's a
> setting that needs to occur. Anybody know this?
>
> cool.
>
> peace. JOe...
>
>
> >> >
> >> > Yes, I've tried emulating different Browsers. My current one is
> >> >set
> >> > to Mozilla 5.0.
> >> >
> >> > I've gotten rid of the dread httpOnly tag by re-writing the
> >> > CookieSpecBase class to ignore this parameter. From what I can
> >> >tell,
> >> > the site only sends it - it never tries to recover it - and the
> >> >cookie
> >> > itself doesn't even seem to store it as an attribute of the
> >> >session.
> >> >
> >> > So, has anyone else seen this message - or could maybe direct me
> >> >to
> >> > possible solutions?
> >>
> >> Are you sure that the application is logging in correctly?
> >>
>
> yes - it is. When the values for logging in (login and password) are
> passed in through the cookies and through the calls - the site comes
> back with the login value pulled in to the login field with that error
> message - so it definitely knows that it's the login value - and I
> know for a fact that the password is correct.
>
>
> >> > The next thing I'm going to try is to attach a mechanism to watch
> >> >how
> >> > the cookie is formatted coming down and installed on a browser and
> >> >see
> >> > if it differs much from mine - and - vice versa - how the cookie
> >> >looks
> >> > going up and seeing if I match it.
> >>
> >> HttpClient supports logging:
> >>
> >> http://jakarta.apache.org/httpcomponents/httpclient-3.x/logging.html
>
> yes - I know this - I have both the wire debugging on and regular
> debugging to see all the messages going by. I don't think I'm missing
> anything.
>
> Just as an aside - how do I know the values for the cookies are loaded
> to the site. That is - do they have a format on how to pass the data
> (ie, "semi-colon" separate list of name-value pairs - what?)... Does
> this make sense?
>
> peace. JOe...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: Problem with HttpClient and cookies...
Posted by Joseph Jupin <jo...@fe77.com>.
On Thu, 6 Dec 2007 17:29:13 +0000
sebb <se...@gmail.com> wrote:
...
>> > Here's the gist of the problem:
>> >
>> > Cookies are not enabled on your browser. Please adjust this in
>> >your
>> > security preferences before continuing
>> >
>> > yep - that's what I get back no matter what I do now. yes, I make
>> > sure the cookies look like a valid session from a browser. I've
>> >gone
>> > into firefox and pulled out all the cookies made for this domain -
>> >and
>> > mimic'd each and every one.
>>
>> You can't normally re-use cookies from another session.
>>
ummm - why not? they're nothing but name-value pairs, rite?
So, if I copy those values - I should be able to mimic what's been
put in there, rite? Most of the time, the cookies are only written at
the beginning and then the next times they're just read for things
like timeout parameters, login values, etc. So, mimic-ing one
shouldn't be that big a deal, I would think.
Anyhoo - I'll look into that - but I think you missed the point to my
message. The message being returned is that the site is thinks that
cookies are not turned on! Sooooo - is there some parameter or
setting that needs to be set in the CookieSpec or Client to let it
know that cookies are turned on? How exactly does this work?
Just so you know - I've mapped the set-cookie calls and they're all
read and properly set - I output both the name and the attribute value
and compare against the cached values - each time it was a perfect
match.
other than maybe a time differential issue or time expiration problem,
I can't see that my cookie creation is the problem - I believe it's a
setting that needs to occur. Anybody know this?
cool.
peace. JOe...
>> >
>> > Yes, I've tried emulating different Browsers. My current one is
>> >set
>> > to Mozilla 5.0.
>> >
>> > I've gotten rid of the dread httpOnly tag by re-writing the
>> > CookieSpecBase class to ignore this parameter. From what I can
>> >tell,
>> > the site only sends it - it never tries to recover it - and the
>> >cookie
>> > itself doesn't even seem to store it as an attribute of the
>> >session.
>> >
>> > So, has anyone else seen this message - or could maybe direct me
>> >to
>> > possible solutions?
>>
>> Are you sure that the application is logging in correctly?
>>
yes - it is. When the values for logging in (login and password) are
passed in through the cookies and through the calls - the site comes
back with the login value pulled in to the login field with that error
message - so it definitely knows that it's the login value - and I
know for a fact that the password is correct.
>> > The next thing I'm going to try is to attach a mechanism to watch
>> >how
>> > the cookie is formatted coming down and installed on a browser and
>> >see
>> > if it differs much from mine - and - vice versa - how the cookie
>> >looks
>> > going up and seeing if I match it.
>>
>> HttpClient supports logging:
>>
>> http://jakarta.apache.org/httpcomponents/httpclient-3.x/logging.html
yes - I know this - I have both the wire debugging on and regular
debugging to see all the messages going by. I don't think I'm missing
anything.
Just as an aside - how do I know the values for the cookies are loaded
to the site. That is - do they have a format on how to pass the data
(ie, "semi-colon" separate list of name-value pairs - what?)... Does
this make sense?
peace. JOe...
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: Problem with HttpClient and cookies...
Posted by sebb <se...@gmail.com>.
On 06/12/2007, Joseph Jupin <jo...@fe77.com> wrote:
> Oh, the dreaded matching Cookies when calling a post to a site that's
> looking for them. Unfortunately, I've fallen into this trap and need
> a little help getting out - maybe with a few pointers somewhere,
> whatever.
>
> Okay, first off - yes, I've read the documentation for newbies, the
> quick start and have even dug into the src code for HttpClient - hell,
> I even overloaded a few of the classes (CookieSpec and Cookie) to get
> my call to recognize the cookies being set. It's all been for naught
> - sort of...
>
> Here's the gist of the problem:
>
> Cookies are not enabled on your browser. Please adjust this in your
> security preferences before continuing
>
> yep - that's what I get back no matter what I do now. yes, I make
> sure the cookies look like a valid session from a browser. I've gone
> into firefox and pulled out all the cookies made for this domain - and
> mimic'd each and every one.
You can't normally re-use cookies from another session.
>
> Yes, I've tried emulating different Browsers. My current one is set
> to Mozilla 5.0.
>
> I've gotten rid of the dread httpOnly tag by re-writing the
> CookieSpecBase class to ignore this parameter. From what I can tell,
> the site only sends it - it never tries to recover it - and the cookie
> itself doesn't even seem to store it as an attribute of the session.
>
> So, has anyone else seen this message - or could maybe direct me to
> possible solutions?
Are you sure that the application is logging in correctly?
> The next thing I'm going to try is to attach a mechanism to watch how
> the cookie is formatted coming down and installed on a browser and see
> if it differs much from mine - and - vice versa - how the cookie looks
> going up and seeing if I match it.
HttpClient supports logging:
http://jakarta.apache.org/httpcomponents/httpclient-3.x/logging.html
Use the "best for debugging" settings; this will include cookies.
> many, many thanx for reading my partial rant/ plea for help!
>
> ;-)
>
> peace. JOe...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org