Code Monkey home page Code Monkey logo

Comments (6)

rlebeau avatar rlebeau commented on June 16, 2024

The only way TIdCookieManager would not save the cookie is if it has expired. Otherwise, TIdCookieManager will look for an existing cookie with a matching Name, Domain, Path, etc, and if found then remove the old cookie. Regardless, TIdCookieManager will save the new cookie as long as it is not expired. The Path should not be preventing a new cookie from being saved, it should only be influencing whether TIdCookieManager sends the cookie back to the server on subsequent requests. Are you sure that is not the actual problem instead? Are you sure the cookie's Path matches the URL(s) you are expecting it to be sent back to?

from indy.

EvgenyLevitskiy avatar EvgenyLevitskiy commented on June 16, 2024

Ok, now i see that TIdCookieManager save all Cookies, but i still don't understand why
with ACookie.Path := '/'; load correct page

dest: https://login.autobid.de/auth?response_type=code&redirect_uri=https%3A%2F%2Fautobid.de%2F%3Faction%3Dauth%26show%3Dverify&client_id=premium&nonce=a1b6270f1622d107405be1b2f2628276&state=57d01baea68b35ea0ba3d5784edd718e&scope=openid - NumRedirect: 1 - VMethod:GET

dest: /interaction/18890697-d876-4c1a-a9c4-1d655df5de17 - NumRedirect: 2 - VMethod:GET

4 Cookies:
tokenpremium=uioo5rtao3qi0ntl8640038qiv; Path=/; Domain=autobid.de; HttpOnly; Max-Age=251704105579; Expires=Fri, 31-Dec-9999 22:59:59 GMT
amNewPopupHashes=YToyOntzOjc6ImJyb3dzZXIiO3M6NDA6ImQ4ZjQ4Nzc4NWI3NzVkNzk0MmVlNzkyYzBmNDFlYzZiYzdiOGQ3YmYiO3M6NDoidXNlciI7Tjt9; Path=/; Domain=autobid.de; HttpOnly; Max-Age=15551999; Expires=Sun, 21-Apr-2024 22:53:40 GMT
_grant=18890697-d876-4c1a-a9c4-1d655df5de17; Path=/; Domain=login.autobid.de; HttpOnly; Max-Age=900; Expires=Tue, 24-Oct-2023 23:08:41 GMT
_grant.sig=gOiNjXEd-p5Ll71dh57RBrNMtzI; Path=/; Domain=login.autobid.de; HttpOnly; Max-Age=900; Expires=Tue, 24-Oct-2023 23:08:41 GMT

and without ACookie.Path := '/'; send back to main page with message no cookies are found

dest: https://login.autobid.de/auth?response_type=code&redirect_uri=https%3A%2F%2Fautobid.de%2F%3Faction%3Dauth%26show%3Dverify&client_id=premium&nonce=f0b249a0630d070bedc664b1c5c9fc7a&state=bcd39b6c318fcd481806077fa74ade89&scope=openid - NumRedirect: 1 - VMethod:GET

dest: /interaction/fab23be0-c927-4c93-b5ed-09d0e34feca9 - NumRedirect: 2 - VMethod:GET

dest: https://autobid.de/#login/session/interaction%20session%20id%20cookie%20not%20found - NumRedirect: 3 - VMethod:GET

6 Cookies:
tokenpremium=v3u0mjj70fds8o4o4m1usulrm0; Path=/; Domain=autobid.de; HttpOnly; Max-Age=251704105212; Expires=Fri, 31-Dec-9999 22:59:59 GMT
_grant=fab23be0-c927-4c93-b5ed-09d0e34feca9; Path=/interaction/fab23be0-c927-4c93-b5ed-09d0e34feca9; Domain=login.autobid.de; HttpOnly; Max-Age=899; Expires=Tue, 24-Oct-2023 23:14:47 GMT
_grant.sig=qaYAieoN-JAxD5DF2BHIsLXvqkY; Path=/interaction/fab23be0-c927-4c93-b5ed-09d0e34feca9; Domain=login.autobid.de; HttpOnly; Max-Age=899; Expires=Tue, 24-Oct-2023 23:14:47 GMT
_grant=fab23be0-c927-4c93-b5ed-09d0e34feca9; Path=/auth/fab23be0-c927-4c93-b5ed-09d0e34feca9; Domain=login.autobid.de; HttpOnly; Max-Age=899; Expires=Tue, 24-Oct-2023 23:14:47 GMT
_grant.sig=qaYAieoN-JAxD5DF2BHIsLXvqkY; Path=/auth/fab23be0-c927-4c93-b5ed-09d0e34feca9; Domain=login.autobid.de; HttpOnly; Max-Age=899; Expires=Tue, 24-Oct-2023 23:14:47 GMT
amNewPopupHashes=YToyOntzOjc6ImJyb3dzZXIiO3M6NDA6IjhiZTA5YThjMWI0MTVmZjc3OTZkOWYwNzZlYjgzMmY4OWQwYThlMzciO3M6NDoidXNlciI7Tjt9; Path=/; Domain=autobid.de; HttpOnly; Max-Age=15551999; Expires=Sun, 21-Apr-2024 22:59:47 GMT

P.S. cookies with path /interaction/... and /auth/... server send allways as expired.

from indy.

EvgenyLevitskiy avatar EvgenyLevitskiy commented on June 16, 2024

Hello Remy!

i have done several test with request for website and i find following problem :

function IsPathMatch(const AUriPath, ACookiePath: String): Boolean;
try to execute TextIsSame and its return false because
AUriPath := /interaction/
and
ACookiePath := /interaction/af822c5a-c32b-4d30-99ad-25bc97180998

normaly AUriPath should be also /interaction/af822c5a-c32b-4d30-99ad-25bc97180998.
see redirect destination : dest: /interaction/af822c5a-c32b-4d30-99ad-25bc97180998 - NumRedirect: 2 - VMethod:GET

i think

function TIdCookie.IsAllowed(AURI: TIdURI; SecureOnly: Boolean): Boolean;

  function MatchesHost: Boolean;
  begin
    if HostOnly then begin
      Result := TextIsSame(CanonicalizeHostName(AURI.Host), Domain);
    end else begin
      Result := IsDomainMatch(AURI.Host, Domain);
    end;
  end;

begin
  // using the algorithm defined in RFC 6265 section 5.4...
  Result := MatchesHost and IsPathMatch(AURI.Path, Path) and
            ((not Secure) or (Secure and SecureOnly)) and
            ((not HttpOnly) or (HttpOnly and IsHTTP(AURI.Protocol)));
end;

should be IsPathMatch(AURI.GetPathAndParams, Path)

in RFC 6265 you can read following rule :
* The request-uri's path path-matches the cookie's path.

in my case requested /interaction/af822c5a-c32b-4d30-99ad-25bc97180998 and not /interaction/

from indy.

rlebeau avatar rlebeau commented on June 16, 2024

Using AURI.GetPathAndParams would be the wrong thing to use here, since a URL's query parameters are not part of its path. Besides, the URLs in question do not have query parameters anyway. You are probably thinking of AURI.Path + AURI.Document instead of AURI.GetPathAndParams.

But, I think you are correct, TIdCookie.IsAllowed(), as well as GetDefaultPath(), need to take the TIdURL.Document into account when processing url paths. I will make that change.

from indy.

rlebeau avatar rlebeau commented on June 16, 2024

Let me know if that works.

from indy.

EvgenyLevitskiy avatar EvgenyLevitskiy commented on June 16, 2024

its works, thanks!

from indy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.