hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Cookie spoofing issue using Commons Http Client 3.1
Date Mon, 09 Dec 2013 11:06:07 GMT
On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
> Hi all,
> 
> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
> 
> My request flow is like this:
> 
> 1)      Client sends a login request.
> 
> 2)      Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
> 
> 3)      Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
> 
> 4)      Server responds to the request.
> 
> 5)      Client sends another request with 2 session id Cookies,1 from the previous requests
and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
> 
> 6)      Server unauthorize the client.
> 
> It seems like Client is storing the session cookies,and sending 2 session cookies in
the request and the server rejects the request based on invalid session id.
> 
> Thanks in advance.
> 
> Chirag
> 

Chirag,

HC 3.1 has been at end of life for several years now. It is neither
being maintained or supported. It is very unlikely anyone would
investigate this issue. Please consider upgrading to HC 4.3

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message