Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Pasin Suriyentrakorn
Pasin Suriyentrakorn
Reporter
Pasin Suriyentrakorn
Pasin SuriyentrakornStory Points
5
Components
Sprint
None
Fix versions
Affects versions
Priority
MajorInstabug
Open Instabug
PagerDuty
PagerDuty
Sentry
Sentry
Zendesk Support
Zendesk Support
Created September 11, 2019 at 9:27 PM
Updated August 31, 2024 at 10:56 AM
Resolved August 13, 2020 at 12:07 AM
LiteCore's Replicator class has been managing HTTP cookies so far. Before creating the C4Socket it looks up cookies and adds them to the HTTP header options, and when the C4Socket returns the HTTP response the Replicator class handles the Set-Cookie header.
I'm taking this out because it isn't correct when the request gets redirected:
The cookies will be sent on every redirected request, even to hosts they're not intended for, which could potentially leak sensitive data.
Any Set-Cookie responses from intermediate responses will be ignored because those responses don't get sent back to the replicator.
Instead, cookies need to be applied and stored on a hop-by-hop basis, i.e. each HTTP request and response. This is the job of the platform C4Socket implementation. It should:
Call c4db_getCookies() before sending each HTTP request and add the cookies.
If a response contains Set-Cookie header(s), call c4db_setCookie().
This LiteCore change is currently on the development branch (feature/xsockets). I'm not sure when this branch will be merged; likely for Mercury.