0

I was searching the internet quite a time but I didn't find a satisfying answer to my question.

I have to get a json object from a certain http site. I do this with a get-request over http (site is available only over http). The site responds with a session cookie:

Set-Cookie: session_id=95656983e1feaff45a000aa7f2f9093a1ea4b1c3; expires=Fri, 20 Apr 2018 14:00:51 GMT; httponly; Max-Age=3600; Path=/; secure

My first question is why the cookie is sent over http when httponly & secure flag are set??

After I get the json object I have to do some fancy stuff and send a json object back to an other site of the same domain. Also this site is available only via http. (I do the requests in python with python-requests and use requests.session() for dealing with the cookies so no problem there). When I look through the header of my request with mitmproxy I see that no cookie is set and the page responds with "WHERE'S MY COOKIE??"

I think the problem is with httponly & sercur flag. I just don't know how to deal with it because the page is only available over http and not https?

Solenya
  • 694
  • 6
  • 21

1 Answers1

1

Secure attribute instructs the client/browser to only return the cookie when using a secure channel, but such a cookie can be set by the application/server on to the client/browser over normal HTTP. You are correct the secure flag is causing the problem and AFAIK there is no way to work around it

Farooq Khan
  • 570
  • 4
  • 11
  • Thx for the explanation. I tried to set an own cookie without the secure and http only tag with the same session_id. The server still responds with "WHERE'S MY COOKIE??". Am I missing something? – Solenya Apr 21 '18 at 19:19
  • Maybe there is some domain difference at play here. If you do not set the domain explicitly the effective domain interpreted by the client could be different then what you are expecting. I think you can try by setting an explicit domain. This another question might help: https://stackoverflow.com/questions/1062963/how-do-browser-cookie-domains-work?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa another good link for all about domains in cookies https://www.mxsasha.eu/blog/2014/03/04/definitive-guide-to-cookie-domains/ – Farooq Khan Apr 21 '18 at 20:11