curl-generated HttpOnly cookies and HTTP::Cookies::Netscape

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I have the following issue with HTTP::Cookies::Netscape when using a cookie jar generated with Linux curl: Cookies in the curl cookie jar file with the HttpOnly attribute set are written as "#HttpOnly_{Hostname}" in the file and interpreted as comments by HTTP::Cookies::Netscape, so they get ignored.

$ curl -I https://auth.example.com --cookie-jar ./cookie.txt --basic -
+-user somedude
200 OK
[...]
Set-Cookie: session=mdkfUHAUnjdfj[...] path=/; expires=Sat, 15 Apr 201
+7 04:08:35 -0000; secure; HttpOnly
[...]

$ cat ./cookie.txt
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_auth.example.com    FALSE    /    TRUE    1492227302    sess
+ion    mdkfUHAUnjdfj[...]
[download]

As you can see the cookie is stored with a "#HttpOnly_" prefix in the cookie file above by curl. Feeding that file to HTTP::Cookies::Netscape for example like this will not produce any output as the line is treated as a comment:

#!env perl

use HTTP::Cookies::Netscape;

my $cookies_file = defined($ARGV[0]) ? $ARGV[0] : exit ;
my $Netscape_cookie_jar = HTTP::Cookies::Netscape->new( file => $cooki
+es_file );
print $Netscape_cookie_jar->as_string;
[download]

Removing the "#HttpOnly_" prefix in the cookie file will however work fine. Is there a way to make HTTP::Cookies::Netscape work with these curl-generated HttpOnly cookies without modifying the original cookie file? Thanks in advance.

Comment on curl-generated HttpOnly cookies and HTTP::Cookies::Netscape Select or Download Code

Replies are listed 'Best First'.
Re: curl-generated HttpOnly cookies and HTTP::Cookies::Netscape by robby_dobby (Hermit) on Apr 14, 2017 at 08:34 UTC
Hello Anonymonk, What makes you think that `# HttpOnly_` is a commented entry in that cookie-jar? In fact, curl can perfectly understand that HttpOnly_ entry if you visit a HTTP site and will silently ignore it for HTTPS sites. The reason for this is to prevent XSS attacks. If you're using libcurl or LWP, it should work just fine without you having to go mucking with that cookie file :-) Read more about this here	[reply] [d/l]
Re: curl-generated HttpOnly cookies and HTTP::Cookies::Netscape by RonW (Parson) on Apr 19, 2017 at 00:35 UTC
There doesn't seem to be a HTTP::Cookies::Curl or I would suggest that. As robby_dobby suggested, you can try using WWW::Curl or other Curl CPAN module. HTTP::Cookies::Guess might work, and there are several other `HTTP::Cookies::` modules in CPAN. Looking at the base class, HTTP::Cookies, it appears to only accept a file name for the source of cookies to load. If it would accept a string, an array or even a filehandle, you could prefilter the text as it is read. It would, however, be possible to prefilter the cookie jar by using a temporary file.	[reply] [d/l]