--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: xombrero does not handle httponly cookies
- From: Enrico Zini <enrico@debian.org>
- Date: Fri, 28 Aug 2015 11:02:05 +0200
- Message-id: <20150828090205.20730.99723.reportbug@viaza.enricozini.org>
Package: xombrero
Version: 2:1.6.4-3
Severity: normal
Hello,
thank you for maintaining xombrero.
It looks like xombrero does not store and retransmit httponly cookies.
If I point it at the attached web server, I can see that a new cookie is
generated at each request. With chromium instead, the cookie is
preserved.
See here for documentation about httponly cookies:
https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
This is currently breaking access to https://sso.debian.org/spkac/enroll_manually
which relies on httponly cookies for session management, and relies on
session management for remembering the challenge string previously sent
to the client. If you visit that page with xombrero, you will see the
challenge string in the "openssl spkac" command line change all the
time. If you visit it with firefox or chromium, you will see that the
challenge stays the same.
Enrico
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xombrero depends on:
ii libbsd0 0.7.0-2
ii libc6 2.19-19
ii libgdk-pixbuf2.0-0 2.31.5-1
ii libglib2.0-0 2.44.1-1.1
ii libgnutls-deb0-28 3.3.17-1
ii libgtk-3-0 3.16.6-1
ii libjavascriptcoregtk-3.0-0 2.4.9-2
ii libpango-1.0-0 1.36.8-3
ii libsoup2.4-1 2.50.0-2
ii libwebkitgtk-3.0-0 2.4.9-2
xombrero recommends no packages.
xombrero suggests no packages.
-- no debconf information
#!/usr/bin/python3
import http.server
import http.cookies
import socketserver
PORT = 8000
class CookieTest(http.server.BaseHTTPRequestHandler):
sequence = 0
def do_GET(self):
cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[]))
c = http.cookies.SimpleCookie()
c.load(cookiestring)
existing_session_id = c.get("sessionid", None)
if existing_session_id is None:
new_session_id = str(self.sequence)
self.sequence += 1
else:
new_session_id = existing_session_id
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.send_header("Set-Cookie", "sessionid={}; expires=Fri, 11-Sep-2017 08:34:46 GMT; httponly; Max-Age=1209600; Path=/".format(new_session_id))
self.end_headers()
self.wfile.write("existing cookie: {}\n".format(existing_session_id).encode("utf-8"))
for k, v in self.headers.items():
self.wfile.write("{}: {}\n".format(k, v).encode("utf-8"))
def main():
httpd = socketserver.TCPServer(("", PORT), CookieTest)
print("serving at port", PORT)
httpd.serve_forever()
if __name__ == "__main__":
main()
--- End Message ---