[SOLVED] Send Cookies with TFPHTTPClient

[BlueIcaro]

Hello, I using TFPHTTPClient to connect to a machine, with basic autentication.
When I connect the server send two cookies, like this

Set-Cookie: -http-session-=13::http.session::6c1017723e63b546ecef71f05570e639; path=/; secure; httponly; SameSite=None
Set-Cookie: ABBCX=1310729; path=/; secure; httponly; SameSite=None

So I have to send back the cookies. But I don't how.


Thanks in advance
Edit: The problem is TFPHTTPClient that only stores one cookie
/BlueIcaro

[BlueIcaro]

Hi, I found the solution.

I read the responseheaders, and I store the cookie in a tstringlist. Then when I need, I clear the cookies in TFPHTTPClient, and I add the stringlist stored before.

/BlueIcaro

[Leledumbo]

Hi, I found the solution.

I read the responseheaders, and I store the cookie in a tstringlist. Then when I need, I clear the cookies in TFPHTTPClient, and I add the stringlist stored before.

/BlueIcaro

You don't actually need to, just reuse the TFPHTTPClient instance, it's designed to work like a browser, i.e. every Set-Cookie in the response header from previous call will be stored and sent back accordingly on subsequent request.
This is where the cookies are read and stored.
This is where it's read back and put into the request.

[TRon]

You don't actually need to, just reuse the TFPHTTPClient instance, it's designed to work like a browser, i.e. every Set-Cookie in the response header from previous call will be stored and sent back accordingly on subsequent request.

In practice it doesn't, at least it is not working for me with FPC 3.2.2. I have to manually (re)set the cookies and even that is not always working as expected because of the manner in which the cookies are stored inside fphttpclient (it does not 100% comply to cookies standards being used).

Took me quite a while before I realized that received cookies are not set on the next request.

[BlueIcaro]

Hello, I using Lazarus 3.0 and Fpc 3.2.2 (the last stable Lazarus revision).
The problem is TFPHTTPClient, that only stores the first cookie. I recibe this from the server:

Set-Cookie: -http-session-=16::http.session::b3997d393228c57235348486e88227c7; path=/; secure; httponly; SameSite=None
Set-Cookie: ABBCX=1507337; path=/; secure; httponly; SameSite=None
Vary: Accept-Encoding
Content-Type: application/hal+json;v=2.0
X-Content-Type-Options: nosniff
Date: Tue, 09 Jan 2024 11:23:42 GMT
Cache-Control: no-cache="set-cookie", max-age=0, no-cache, no-store
Content-Length: 12181
X-XSS-Protection: 1; mode=block
Connection: close
Pragma: no-cache
Expires: -1
Accept-Ranges: bytes

As you can see that the servers sends two orders "Set-Cookie". In this case TFPHTTPClient stored this:

Cookies stored at TFPHTTPClient
-http-session-=23::http.session::e282e5ab2b7bed57a8267a11c0b9e673
path=/
secure
httponly
SameSite=None
ABBCX=1966090
path=/
secure
httponly
SameSite=None

If I send back this information I got a error 401 Unauthorized. So the solution that I found was clear the cookies and store only this two lines:

-http-session-=23::http.session::e282e5ab2b7bed57a8267a11c0b9e673
ABBCX=1507337

The problem is that cookie property stores the cookie name, the value and all optional parameters of the cookie.

Take a look of this document https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Of course I can be wrong, because I'm not a expert in this area

/BlueIcaro

[TRon]

Of course I can be wrong, because I'm not a expert in this area

No, you are not wrong BlueIcaro.

Indeed only one cookie is 'remembered' if multiple ones are received. see also this thread.

[Leledumbo]

Ah, I think I remember. Those implementations I pointed above was indeed wrong, and it's been so for like 10-12 years (my bug report was gone, it was still on Mantis, perhaps closed and not migrated). Looks like another contribution of mine will have to come. In the mean time, indeed you have to manually add it.

[Thaddy]

I believe Michael (MvC) wrote the cookie code so ask him.

[Leledumbo]

I believe Michael (MvC) wrote the cookie code so ask him.

Yes he did, I remember he said about implementing a CookieJar but it stopped there.

[Leledumbo]

Feel free to track the changes here.

[TRon]

Thank you very much Leledumbo.

I also wondered why it got not implemented/fixed so thank you for the explanation.

[Leledumbo]

I also wondered why it got not implemented/fixed so thank you for the explanation.

Simply forgotten, I guess. You know, we're old

[TRon]

Simply forgotten, I guess. You know, we're old

At least we're this