Platform WebSocket code should manage HTTP cookies
Description
LiteCore's Replicator class has been managing HTTP cookies so far. Before creating the C4Socket it looks up cookies and adds them to the HTTP header options, and when the C4Socket returns the HTTP response the Replicator class handles the Set-Cookie header.
I'm taking this out because it isn't correct when the request gets redirected:
The cookies will be sent on every redirected request, even to hosts they're not intended for, which could potentially leak sensitive data.
Any Set-Cookie responses from intermediate responses will be ignored because those responses don't get sent back to the replicator.
Instead, cookies need to be applied and stored on a hop-by-hop basis, i.e. each HTTP request and response. This is the job of the platform C4Socket implementation. It should:
Call c4db_getCookies() before sending each HTTP request and add the cookies.
If a response contains Set-Cookie header(s), call c4db_setCookie().
This LiteCore change is currently on the development branch (feature/xsockets). I'm not sure when this branch will be merged; likely for Mercury.
I have the fixes ready in my local branch, not committed, waiting for confirmation. Also I was getting a crash when running the unit tests, which might be due to the same race condition, i haven't looked at that carefully, i can share the stack trace.
Jens Alfke October 3, 2019 at 5:08 PM
I just realized a problem with passing the C4Database to the C4Socket – there's no thread safety. If I pass the original C4Database, the socket code might call into it at the same time as CBL does. But if I pass the C4Database instance being used by the replicator, the socket code might call it at the same time as the replicator. Dammit. With the current implementation, the socket code is presumably using the CBL Database object which is thread-safe.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
LiteCore's Replicator class has been managing HTTP cookies so far. Before creating the C4Socket it looks up cookies and adds them to the HTTP header options, and when the C4Socket returns the HTTP response the Replicator class handles the Set-Cookie header.
I'm taking this out because it isn't correct when the request gets redirected:
The cookies will be sent on every redirected request, even to hosts they're not intended for, which could potentially leak sensitive data.
Any Set-Cookie responses from intermediate responses will be ignored because those responses don't get sent back to the replicator.
Instead, cookies need to be applied and stored on a hop-by-hop basis, i.e. each HTTP request and response. This is the job of the platform C4Socket implementation. It should:
Call c4db_getCookies() before sending each HTTP request and add the cookies.
If a response contains Set-Cookie header(s), call c4db_setCookie().
This LiteCore change is currently on the development branch (feature/xsockets). I'm not sure when this branch will be merged; likely for Mercury.