CURLOPT_COOKIELIST and Set-Cookie without a domain

[jay]

I struggled with the best way to explain to the user that using CURLOPT_COOKIELIST and Set-Cookie without a domain means the cookie is used for any domain and will not be modified. The issue was brought up on the mailing list recently. I came up with some basic warning that I added just now in b18a165. But should Set-Cookie without a domain really mean that? It seems too late to change the behavior, so it should be documented.

Also it isn't yet documented that a cookie without a domain is saved with hostname "unknown" and I wonder if it should be. It seems they are not later loaded as any-domain cookies when they are imported. But also it's been like that for so long maybe some users expect that. However what's the goal of saving as unknown, because when you import it it's not like it's going to be used for all domains again. It might be fitting to warn the user of that as well. And what if someone actually has a hostname "unknown"?

[bagder]

A Set-Cookie: received without a set domain should use the domain actually used in the URL to get that cookie. I believe that's in the cookie spec (and I believe we even have tests for this case). I think the case is different when CURLOPT_COOKIELIST is used as it then doesn't know for which domain that cookie is used.

I don't think an actual cookie received over the wire can end up without a domain, so the case for that is only when passed in via the libcurl API. Or am I wrong?

I'll agree that using "unknown" as domain name is not really reliable, and it would make sense to invent a better way to handle these cookies. I think the point is that it cannot be blank so it needs to be stored somehow and actually I don't think we've ever really fully thought through this case.

[jay]

I don't think an actual cookie received over the wire can end up without a domain, so the case for that is only when passed in via the libcurl API. Or am I wrong?

It's specific to CURLOPT_COOKIELIST as far as I can tell.

[bagder]

I think we could start with not using "unknown" for the domain in the file. The question is what we should do instead. Just refuse to save it?

[jay]

I think we could start with not using "unknown" for the domain in the file. The question is what we should do instead. Just refuse to save it?

I can't think of any reason to continue except we could break a user's script. I've been racking my brain to figure out just what such a script does though.

[bagder]

I think we should refuse to save it to start with, as then we maintain the functionality at least but we stop the creation of a domain that wasn't used to begin with.

[jay]

I wonder if it might be better to comment them out, that way if someone has a script that needs them they can still get to them?

 static char *get_netscape_format(const struct Cookie *co)
 {
   return aprintf(
+    "%s"     /* comment (cookie missing domain) */
     "%s"     /* httponly preamble */
     "%s%s\t" /* domain */
     "%s\t"   /* tailmatch */
     "%s\t"   /* path */
     "%s\t"   /* secure */
     "%" CURL_FORMAT_CURL_OFF_T "\t"   /* expires */
     "%s\t"   /* name */
     "%s",    /* value */
+    co->domain?"":"# ",

On the other hand code parsing from CURLINFO_COOKIELIST may choke on that.

I plan to change it so cookies without a domain are no longer output re CURLINFO_COOKIELIST and CURLOPT_COOKIEJAR, unless you think above could be necessary.

[bagder]

No, I do not think we should do the commenting thing.

[jay]

Ok thanks for the feedback, landed in 3013bb6.