I use the following code to setup cookies
PersistentCookieJar cookieJar = new PersistentCookieJar(
new SetCookieCache(), new SharedPrefsCookiePersistor(context));
clientBuilder.cookieJar(cookieJar);
Retrofit retrofit = builder.client(
clientBuilder.build()).build();
This is the header I received from server:
Set-Cookie: wordpress_logged_in_6041590398a33ab947560d559f09d479=capad%7C1488467742%7CSttfNHrOkwd67CteCGepJyv3bNU2SeSW0URepOPxCe5%7C5091b3bbcc334e520cec85c4c9b8e26a07a962d3c00c8c709b87f90018370f60; path=/; secure; httponly
Your cookie (Set-Cookie: wordpress_logged_in_[etc]; path=/; secure; httponly) has no expiration set.
This makes it a "session" cookie, which should not be persisted. Your PersistentCookieJar likely follows the correct spec in not persisting any cookies without an expiration.
You can either manually add on an expiration when you receive this cookie (perhaps with an OkHttp interceptor), or create your own version of the PersistentCookieJar that persists all cookies (this is probably not a good idea).
Another option would be to respect the fact that whoever is sending that cookie wants it to be a session cookie.
Related
I am seeing behavior on a native Android app where the last response that returns a Set-Cookie is not the same cookie used on successive calls to the same domain. The cookie store can return an older copy of that cookie.
The code uses the default CookieHandler and CookieManager with the default InMemoryCookieStore.
The app can receive session cookies from multiple hosts on the same domain, the session cookies are good on any calls to the same domain. The app calls about 4 different hosts, host1.example.com, through host4. Any of these calls can respond with a Set-Cookie header to refresh the SESSION cookie.
The problem I see is the Cookie store will store these cookies in a Map keyed by the full hostname. The domain on the cookie is: .example.com
host3.example.com - SESSION=xyx; path=/; domain=.example.com; secure; HTTPOnly
host2.example.com - SESSION=sde; path=/; domain=.example.com; secure; HTTPOnly
host1.example.com - SESSION=8xd; path=/; domain=.example.com; secure; HTTPOnly
host4.example.com - SESSION=22d; path=/; domain=.example.com; secure; HTTPOnly
When the cookies are requested for a new http request, the cookie store iterates over the map looking for the domain matching the domain on the cookie, which is .example.com. It finds this in the first entry, say host3, then continues on through the list. All other domains that match the cookie are excluded as duplicates and it returns the SESSION=xyx which can be old and expired (There is no expiration set on these cookies.) The last update on the Cookie may have been from host1 so the returned cookie from host3 is not the latest.
What's also odd, is the full host is ignored and only the domain is considered. The request url cam be host1.example.com but it'll still match host3 since matches the domain and is the first in the entry set from the map. I only find that as odd since the full hostname is used as the key but never considered.
I looked through the RCF6265 and didn't see any mention to this specific behavior but the rfc seemed to sound like it should provide the latest cookie from that domain.
Is there a defined behavior for this and is the Android InMemoryCookieStore behaving incorrectly?
I have an android app that connects to a server. The app appends a cookie to each request. However, I need to suppress this cookie for a request to a specific URI.
Some more details:
Can't add an empty cookie for this URI - even if only the empty one is sent, the request must be without a cookie.
Use okHTTP3 for this request. It's ugly but it'll work.
Looked at HttpUrlConnection, CookieStore and CookieManager - could not find any API to disable sending of cookie for a connection
I prefer not to disable cookies in general but just suppress this one
My web server program is written in nodejs , But it does not manage session when i send request from my android app ,I have set the header along with my request, but I'm getting the same response from the server as "Session does not exist" , I added Cookie token along with the request header , something is missing in my Volley request Header .The code below shows my Volley response Header ... can anybody help me to make Volley request header with the cookie token ?
{
Connection=keep-alive,
Content-Length=216,
Content-Type=application/json; charset=utf-8,
Date=Wed,
18 Jan 2017 06:12:11 GMT,
ETag=W/"d8-oF3uHVo3IiU9RmPHXIfBcA",
Server=nginx/1.10.0 (Ubuntu),
set-cookie=connect.sid=s%3ACeQpRX68rrYC6bebVi5F15hEN8uUmetO.GPKqnHv9VYNH83ztga3YnicAsvZ%2FSB28xUcrRGRa2sA; Path=/,
X-Android-Received-Millis=1484719931455,
X-Android-Response-Source=NETWORK 200,
X-Android-Selected-Protocol=http/1.1,
X-Android-Sent-Millis=1484719930801,
X-Powered-By=Express
}
How can I delete an httpOnly cookie from android webView cookiemanager without deleting all other cookies?
GetCookie does not return HTTPOnly cookies and so I can not set it to expired.
I need cookies from other sites to remain in tact.
I have next problem:
I auth via oauth and webview, after that i store cookies in sharedPreferences and setting it in ClientHttpRequestInterceptor.
Via logs new cookies are setting for new requests, but on server i get old cookies until i fully restart application.
Here is my JsonSpiceService:
http://pastebin.com/Wiaf6NkJ
Here is my activity where i set cookies:
http://pastebin.com/f5F0JCnd
Thank for your help.
After trying to fix this, i noticed that RoboSpice and Spring ignore setting of cookies after receiving set-cookie header. So, i send request that receives correct set-cookie header and fixed this issue.