EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cookie manager for HTTP/HTTPS

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#24870
Posted: 05/06/2013 10:06:55
by Eugene Mayevski (EldoS Corp.)

Hmm. I recommend that you read RFC 6265 before proceeding (http://tools.ietf.org/html/rfc6265#section-5.2.3). This will let you understand what cookies are and how they work.


Sincerely yours
Eugene Mayevski
#24874
Posted: 05/07/2013 03:34:23
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

OK; BTW I could successfully do the REFWORKS project.
I had to call 2 POSTs and set all the corresponding recieved cookies.

Against my assumption there was no dyn code (as you mentended) in the POST.
I just had not set the coockies like session = ... and so on.
Thanks for your help
Walter
#25065
Posted: 05/27/2013 08:14:39
by Hans Bäcklund (Standard support level)
Joined: 04/22/2013
Posts: 4

I'll borrow this thread if it's ok :)

I didn't really understand the "domain cookie"-part...
Why does the CookieManager think a cookie with no "Domain"-attribute is not valid?
The "Domain"-attribute is optional after all.

If I get a Set-Cookie with a cookie with a value (and a path) but no domain it's not validated and therefore never saved in the CookieManager.

I've traced it down and found out that the manager gets the cookie, parses the cookie and fails to validate it.
If it would validate it would have gotten default-values (for E.G Domain) but that never happens because it fails to validate before that.
Is this WAD?

Best regards /Hans Bäcklund
#25066
Posted: 05/27/2013 08:57:13
by Eugene Mayevski (EldoS Corp.)

Quote
Hans Bäcklund wrote:
Why does the CookieManager think a cookie with no "Domain"-attribute is not valid? The "Domain"-attribute is optional after all.


This happens probably due to incorrect understanding of the RFC section 5.2.3. We've fixed the code to accept the domain-less cookie as if it were set for currently connected host.


Sincerely yours
Eugene Mayevski
#25069
Posted: 05/27/2013 10:24:37
by Hans Bäcklund (Standard support level)
Joined: 04/22/2013
Posts: 4

Quote
Eugene Mayevski wrote:
QuoteHans Bäcklund wrote:
Why does the CookieManager think a cookie with no "Domain"-attribute is not valid? The "Domain"-attribute is optional after all.

This happens probably due to incorrect understanding of the RFC section 5.2.3. We've fixed the code to accept the domain-less cookie as if it were set for currently connected host.


Ok, fixed is always nice :)
In what version was/will this be fixed?

Best regards /Hans Bäcklund
#25070
Posted: 05/27/2013 10:27:52
by Eugene Mayevski (EldoS Corp.)

In the closest build, which is the next beta of SecureBlackbox 11.


Sincerely yours
Eugene Mayevski
#25083
Posted: 05/28/2013 02:31:25
by Hans Bäcklund (Standard support level)
Joined: 04/22/2013
Posts: 4

Okay, now all I have to do is wait and buy SBB11 when released.

But first I have to persuade those who make the final decision in purchases like these why we have to buy a new version to get the stuff we originally bought working. I'm pretty sure they will try to go the "Indy-route", thats what they did when I persuaded them to buy SBB instead in the first place.

Oh, I have a feeling I will be fed my own old arguments.
I can almost see them coming back to me.

This could be hard work!
Wish me luck...

/Hans :(
#28490
Posted: 02/20/2014 09:04:51
by Jochem Burger (Priority Standard support level)
Joined: 02/18/2014
Posts: 6

Hi,

I've been testing with the latest Windows Phone 8 version of the SecureBlack (11.0.245.0) and it seems that this problem still persists. I've created the following code sample in order to reproduce the problem and see some different circumstances in which it does and doesn't occur.

A System.ArgumentOutOfRangeException is thrown whenever the TElCookieManager.SetCookiesForUrl method is being called. The message inside the exception states "Length cannot be less than zero.
Parameter name: length". This only seems to happen when there is no domain supplied in the cookie.

Code
var urls = new List<string>
{
   "http://www.google.com",
   "http://www.google.com/",
   "https://www.google.com",
   "https://www.google.com/",
   "http://www.eldos.com",
   "http://www.eldos.com/",
   "https://www.eldos.com",
   "https://www.eldos.com/",
   "localhost"
};

var cookies = new List<TElStringList>
{
   new TElStringList
   {
      "LBCSS=0000...0000; Path=/"
   },
   new TElStringList
   {
      "LBCSS=0000...0000;Path=/"
   },
   new TElStringList
   {
      "LBCSS=0000...0000;Domain=.eldos.com"
   },
   new TElStringList
   {
      "LBCSS=0000...0000;Path=/;Domain=.eldos.com"
   },
   new TElStringList
   {
      "LBCSS=0000...0000;",
      "Path=/"
   },
   new TElStringList
   {
      "LBCSS=0000...0000",
      "Path=/"
   },
   new TElStringList
   {
      "PREF=ID=92e194e4317fc5e7:FF=0:TM=1392902459:LM=1392902459:S=tFkrwQSP6F23HxZW; expires=Sat, 20-Feb-2016 13:20:59 GMT; path=/; domain=.google.nl"
   },
   new TElStringList
   {
      "PREF=ID=92e194e4317fc5e7:FF=0:TM=1392902459:LM=1392902459:S=tFkrwQSP6F23HxZW; path=/; domain=.google.nl"
   },
   new TElStringList
   {
      "PREF=ID=92e194e4317fc5e7:FF=0:TM=1392902459:LM=1392902459:S=tFkrwQSP6F23HxZW; expires=Sat, 20-Feb-2016 13:20:59 GMT; path=/;"
   },
   new TElStringList
   {
      "PREF=ID=92e194e4317fc5e7:FF=0:TM=1392902459:LM=1392902459:S=tFkrwQSP6F23HxZW; path=/;"
   },
   new TElStringList
   {
      ""
   }
};

var cookieManager = new TElCookieManager();

foreach (var url in urls)
{
   foreach (var cookie in cookies)
   {
      try
      {
         cookieManager.SetCookiesForURL(url, cookie, DateTime.UtcNow, 0);
         Debug.WriteLine("Did set cookies for url");
         Debug.WriteLine("Url: {0}", url);
         Debug.WriteLine("Cookies: {0}", cookie.Text);
      }
      catch (Exception)
      {
         Debug.WriteLine("Could not set cookies for url");
         Debug.WriteLine("Url: {0}", url);
         Debug.WriteLine("Cookies: {0}", cookie.Text);
      }

      Debug.WriteLine("");
   }
}


The stacktrace looks like this:
Code
at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
at System.String.Substring(Int32 startIndex, Int32 length)
at SBCookieMgr.TElCookieManager.ValidateCookie(TElCookie Cookie, String Host, String Path, Int32 Port)
at SBCookieMgr.TElCookieManager.SetCookiesForURL(String URL, TElStringList CookieList, DateTime ReceivedAt, Int32 ForceFormat)


I've attached the output as a file.
#28507
Posted: 02/21/2014 06:39:13
by Vsevolod Ievgiienko (EldoS Corp.)

The System.ArgumentOutOfRangeException problem is fixed and the fix will go to the next SecureBlackbox build.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 13402 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!