GenHTTPG
GenHTTP4mo ago
18 replies
Martin | ZenAlgo.com

Cached request cookie across-clients?

Solved
Hi,
Long time no see. 😅
I'm noticing something very weird and concerning from security perspective. I have to yet create minimal repro steps to make sure where the issue is, but this is behavior I'm observing on latest GenHTTP version:

In browser A) I authenticate with my backend hosted with GenHTTP.
- Last step on login is calling 
SetAuthCookie

- I observe in browser dev tools the cookie is set

In browser B) (different browser or new private window)
- I observe no cookie is set for domain / localhost
- I call any authenticated endpoint
- Server responds with cookie from browser A context !!!
- I debugged the Extract function and on the new request from browser B it contains the cookie while it should not contain the cookie

My key extract function and set cookie function:
public static class AuthKeyExtractor
{
    private const string ApiKey = "api-key";

    public static string Extract(IRequest request)
    {
        if (request.Headers.TryGetValue("Authorization", out string value) && value != null && value.StartsWith("Bearer "))
        {
            return value[7..];
        }

        request.Cookies.TryGetValue(ApiKey, out var cookie);
        return cookie.Value ?? string.Empty;
    }

    public static IResponseBuilder SetAuthCookie(this IResponseBuilder builder, string apiKey)
    {
        return builder.Cookie(new Cookie(ApiKey, apiKey, 2147483647));
    }

    public static string GetUserAgent(this IRequest request)
    {
        return request.UserAgent ?? string.Empty;
    }
}


I'm going to investigate further, it is well possible I'm doing something wrong on my end. I'm sharing this in case you have a clue there might be something off in GenHTTP side.
Solution
10.1.1 passed my test, thank you!
Jump to solution
Was this page helpful?
CommunitiesDocsAboutTermsPrivacy