diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2015-09-03 02:35:11 -0400 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2015-09-03 02:35:11 -0400 |
| commit | cb6a07fed03459368e71b738b1bc9448213c4dfb (patch) | |
| tree | 1fc69a47d30f93e6f2666266fdb19ffc6e485b93 /docs/curl.1 | |
| parent | b604b7f040ebe29113daf24c73d5cb3da271c9f9 (diff) | |
docs: Warn about any-domain cookies and multiple transfers
- Warn that cookies without a domain are sent to any domain:
CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
- Note that imported Set-Cookie cookies without a domain are no longer
exported:
CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
Diffstat (limited to 'docs/curl.1')
| -rw-r--r-- | docs/curl.1 | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/docs/curl.1 b/docs/curl.1 index b49c492b2..6b3feab33 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -213,7 +213,7 @@ be in the format "NAME1=VALUE1; NAME2=VALUE2". If no '=' symbol is used in the line, it is treated as a filename to use to read previously stored cookie lines from, which should be used in this session -if they match. Using this method also activates the "cookie parser" which will +if they match. Using this method also activates the cookie engine which will make curl record incoming cookies too, which may be handy if you're using this in combination with the \fI-L, --location\fP option. The file format of the file to read cookies from should be plain HTTP headers or the Netscape/Mozilla @@ -223,6 +223,15 @@ The file specified with \fI-b, --cookie\fP is only used as input. No cookies will be written to the file. To store cookies, use the \fI-c, --cookie-jar\fP option. +Exercise caution if you are using this option and multiple transfers may occur. +If you use the NAME1=VALUE1; format, or in a file use the Set-Cookie format and +don't specify a domain, then the cookie is sent for any domain (even after +redirects are followed) and cannot be modified by a server-set cookie. If the +cookie engine is enabled and a server sets a cookie of the same name then both +will be sent on a future transfer to that server, likely not what you intended. +To address these issues set a domain in Set-Cookie (doing that will include +sub-domains) or use the Netscape format. + If this option is used several times, the last one will be used. .IP "-B, --use-ascii" (FTP/LDAP) Enable ASCII transfer. For FTP, this can also be enforced by using @@ -254,6 +263,9 @@ won't fail or even report an error clearly. Using -v will get a warning displayed, but that is the only visible feedback you get about this possibly lethal situation. +Since 7.43.0 cookies that were imported in the Set-Cookie format without a +domain name are not exported by this option. + If this option is used several times, the last specified file name will be used. .IP "-C, --continue-at <offset>" |