LiteCore's Replicator class has been managing HTTP cookies so far. Before creating the C4Socket it looks up cookies and adds them to the HTTP header options, and when the C4Socket returns the HTTP response the Replicator class handles the Set-Cookie header.
I'm taking this out because it isn't correct when the request gets redirected:
- The cookies will be sent on every redirected request, even to hosts they're not intended for, which could potentially leak sensitive data.
- Any Set-Cookie responses from intermediate responses will be ignored because those responses don't get sent back to the replicator.
Instead, cookies need to be applied and stored on a hop-by-hop basis, i.e. each HTTP request and response. This is the job of the platform C4Socket implementation. It should:
- Call c4db_getCookies() before sending each HTTP request and add the cookies.
- If a response contains Set-Cookie header(s), call c4db_setCookie().
This LiteCore change is currently on the development branch (feature/xsockets). I'm not sure when this branch will be merged; likely for Mercury.