Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cookies aren't always sent to subdomains

See original GitHub issue

Manually adding cookies to the using any of the constructors of Cookie except for this one https://github.com/HtmlUnit/htmlunit/blob/e1f559f15a682a325a55ae4ed41b116653f21eeb/src/main/java/com/gargoylesoftware/htmlunit/util/Cookie.java#L99-L101

results in cookies not being sent for subdomains, even though they should be sent as per section 5.1.3 of RFC 6265.

The root cause is that HtmlUnitDomainHandler delegates to BasicDomainHandler which contains the following code:

// ...
if (cookie instanceof ClientCookie) {
  if (((ClientCookie) cookie).containsAttribute(ClientCookie.DOMAIN_ATTR)) {
    return domainMatch(domain, host);
  }
}
return false;

And the domain attribute is never set in the constructors of Cookie. If it is set, however, domainMatch does properly handle subdomains.

Example code:

  @Test
  public void testSameDomain() throws IOException {
    try (final WebClient webClient = new WebClient()) {
      Cookie cookie = new Cookie("example.com", "name", "value");

      webClient.getCookieManager().setCookiesEnabled(true);
      webClient.getCookieManager().addCookie(cookie);

      final HtmlPage subDomainRequest = webClient.getPage("http://example.com");
      System.out.println(subDomainRequest);
    }
  }

  @Test
  public void testSubdomain() throws IOException {
    try (final WebClient webClient = new WebClient()) {
      Cookie cookie = new Cookie("example.com", "name", "value");

      webClient.getCookieManager().setCookiesEnabled(true);
      webClient.getCookieManager().addCookie(cookie);

      final HtmlPage subDomainRequest = webClient.getPage("http://www.example.com");
      System.out.println(subDomainRequest);
    }
  }

Enabling DEBUG-level logging of org.apache.http.client.protocol.RequestAddCookies and running these tests results in:

  • testSameDomain:

    16:44:31.815 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: mine 16:44:31.824 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - Cookie [version: 0][name: name][value: value][domain: example.com][path: null][expiry: null] match [example.com:80/] HtmlPage(http://example.com/)@1360541835

  • testSubdomain (cookie not sent):

    16:44:32.420 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: mine HtmlPage(http://www.example.com/)@841166421

Possible workaround: Directly instantiate a BasicClientCookie (outside of HtmlUnit’s domain) and pass it to Cookie

  @Test
  public void testSameDomainWithClientCookie() throws IOException {
    try (final WebClient webClient = new WebClient()) {
      BasicClientCookie clientCookie = new BasicClientCookie("name", "value");
      clientCookie.setDomain("example.com");
      clientCookie.setAttribute(ClientCookie.DOMAIN_ATTR, "example.com");
      Cookie cookie = new Cookie(clientCookie);

      webClient.getCookieManager().setCookiesEnabled(true);
      webClient.getCookieManager().addCookie(cookie);

      final HtmlPage subDomainRequest = webClient.getPage("http://example.com");
      System.out.println(subDomainRequest);
    }
  }

  @Test
  public void testSubdomainWithClientCookie() throws IOException {
    try (final WebClient webClient = new WebClient()) {
      BasicClientCookie clientCookie = new BasicClientCookie("name", "value");
      clientCookie.setDomain("example.com");
      clientCookie.setAttribute(ClientCookie.DOMAIN_ATTR, "example.com");
      Cookie cookie = new Cookie(clientCookie);

      webClient.getCookieManager().setCookiesEnabled(true);
      webClient.getCookieManager().addCookie(cookie);

      final HtmlPage subDomainRequest = webClient.getPage("http://www.example.com");
      System.out.println(subDomainRequest);
    }
  }

Running these with the same log config results in:

  • testSameDomainWithClientCookie:

    18:06:55.032 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: mine 18:06:55.032 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - Cookie [version: 0][name: name][value: value][domain: example.com][path: null][expiry: null] match [example.com:80/] HtmlPage(http://example.com/)@841166421

  • testSubdomainWithClientCookie:

    18:06:55.808 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: mine 18:06:55.809 [main] DEBUG o.a.h.c.protocol.RequestAddCookies - Cookie [version: 0][name: name][value: value][domain: example.com][path: null][expiry: null] match [www.example.com:80/] HtmlPage(http://www.example.com/)@467632528

The workaround is dirty and hackish. A cleaner solution might be to modify constructors of Cookie to set the domain attribute, or to alter HtmlUnitDomainHandler to handle subdomains.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
rbricommented, Apr 10, 2021

Again thanks for the report, a new release is on the way.

1reaction
rbricommented, Apr 6, 2021

Many thanks for this detailed report. We maybe had some similar findings during the last months. But so far I was not able to reproduce them because the pointer to the manual construction of the cookies was missing. Will enhance the test suite and fix it soon. You can have a look at twitter for news. Thanks again

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cookies from domain aren't being sent to subdomain #1405
I noticed that cookies from example.com aren't available on subdomain.example.com. That behavior is, if I read it correctly, against HTTP specs ...
Read more >
JavaScript cookies not working on sub-domains - Stack Overflow
1 Answer 1 ... When setting up the cookie, your domain must be in format of .domain.com – dot and root domain and...
Read more >
7 Keys to the Mystery of a Missing Cookie - Medium
Cookies prefixed with __Host are sent only to the host which set the cookie and never sent to subdomains. So if the cookie...
Read more >
Cookie domain security - Information Security Stack Exchange
In such case normally all subdomains are controlled by the same owner (company) and different subdomains can be bound to different applications.
Read more >
Cookie Settings And Subdomain Tracking In Universal Analytics
If one is found, it then checks the domain on which the cookie is written, and whether or not this matches the tracker...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Download a file process by server, with HtmlUnit

Next page

Render HTML from String