Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: SetCookie is creating invalid headers #29804

Closed
Rickgrendel opened this issue Jan 18, 2019 · 4 comments
Closed

net/http: SetCookie is creating invalid headers #29804

Rickgrendel opened this issue Jan 18, 2019 · 4 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Go1.13

Comments

@Rickgrendel
Copy link

Rickgrendel commented Jan 18, 2019
edited

What version of Go are you using (go version)?

$ go version
go version go1.11.2 windows/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Rick\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\Rick\Documents\projects\cerebral\
set GOPROXY=
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Rick\AppData\Local\Temp\go-build507667558=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create a secure cookie with github.com/gorilla/securecookie (wich from their side works) and create a cookie with http.setcookie()

var hashKey = []byte("testkey") //for testing purpopes
var blockKey = []byte(securecookie.GenerateRandomKey(32))

var s = securecookie.New(hashKey, blockKey)
  if encoded, err := s.Encode("cookie-name", value); err == nil {
    cookie := &http.Cookie{
      Name:     "cookie-name",
      Value:    encoded,
      Path:     "/",
      Secure:   true,
      HttpOnly: true,
    }

    http.SetCookie(*w, cookie) // w = *http.ResponseWriter

...

What did you expect to see?

In my REST client for testing I expected to see a valid Set-Cookie header but the header is written as setcookie and the Secure and HttpOnly flags are missing.

What did you see instead?

setcookie:cookiename=MTU0NzczNTM0N3xGOTJYUUw5TFNXZHI2dU9jT3hCeTZUTE5TaTBFNU1XN1F 5WGMzb3c1dGZRUENEU2xPZHFwTXJQLW8zND18_VCYxNVRbIAUrs9_8EcGpTUEiqVyYL_2M5Olbjhnkeg =; Path=/

An invalid cookie header created by http.setcookie()
@bradfitz bradfitz changed the title net/http: http.setcookie is creating invalid headers net/http: SetCookie is creating invalid headers Jan 18, 2019
@bradfitz
Copy link
Contributor

Can you write an example that doesn't use third-party packages? (that is, how do we know this isn't a bug in securecookie or in your code connecting the two?)

And what part of the output do you think is invalid? We could figure it out, but it helps if you're more explicit in bug reports.

@bradfitz bradfitz added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jan 18, 2019
@bradfitz bradfitz added this to the Go1.13 milestone Jan 18, 2019
@Rickgrendel
Copy link
Author

Okay, this is the code without third-party packages. Still the same result.

cookie := &http.Cookie{
  Name:     "cookie-name",
  Value:    "Hello World!",
  Path:     "/",
  Secure:   true,
  HttpOnly: true,
}

http.SetCookie(*w, cookie) // w = *http.ResponseWriter

The part that is invalid is that the header for the cookie is setcookie instead of Set-Cookie. Google Chrome doesn't even see the header.

@bradfitz
Copy link
Contributor

@Rickgrendel, the string "setcookie" (in any case) does not appear in the Go source tree, so not sure why you think you see that.

I certainly don't see that: https://play.golang.org/p/G2J_7TnSA9n

We use Set-Cookie (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie etc)

@agnivade agnivade added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Jan 29, 2019
@gopherbot
Copy link

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@golang golang locked and limited conversation to collaborators Feb 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Go1.13
Development

No branches or pull requests
4 participants
@bradfitz @agnivade @gopherbot @Rickgrendel