cookies are preserved between requests

Question

cookies are preserved between requests

Closed this issue 5 years ago · 4 comments

When using jar:true, cookies will be preserved between requests.

if client X makes a requests containing a specific header, all subsequent requests for all other clients, will also send this cookie to the destination host. So when client Y makes a request via the proxy, the request will contain client X's cookies :(

This is specifically problematic as cookies are often used for authentication / session tokens. Meaning that in some cases, users may be identified as other users at the destination host.

Due to the security implications, I think this bug should be considered very severe.

Answer 1 · 2019-06-16T20:55:23.000Z

Just for context: I didn't write the initial version of this lib, so I needed to dig in a bit to find out how the cookie stuff really works. From what I see, specifying jar: true gets passed directly through to request, which then uses a global cookie jar (source):

Cookies are disabled by default (else, they would be used in subsequent requests). To enable cookies, set jar to true

I cannot really imagine this is the type of behavior that you usually want in a proxy, it would make more sense for the proxy to just forward the untouched cookie header in both directions (req and res).

I suppose if we enforce this, it would be a breaking change, but perhaps it would be for the best. Cookies being shared without people realizing is a major issue!

Answer 2 · 2019-06-18T14:52:19.000Z

Did more examination of the code (like you) and arrived to the similar conclusion as @edorivai . Setting jar:true gets passed on to the request-promise library, which is a dependency of this library.

However, the documentation of the request-promise lib provides a different description for the jar parameter, according to it setting jar:true will:

Put cookie in an jar which can be used across multiple requests

Which is why I encountered the behaviour I did (Sessions shared between requests of different users).

So to it seems this is not an actual bug with this (koa-proxy) library, but just a really) bad bug in the documentation, which states that jar:true must be set for cookies to be proxied to target host. That is not true, it appears that proxies are always proxied to the host, but are preserved by the proxy when jar:true is set.

I recommend double-checking this claim of mine (I'll try to find time to double check myself), and then we can simply resolve this issue by altering the documentation accordingly. Let's try to be quick about it to help others avoid extremely unfortunate incidents where sessions are shared between different users.

Answer 3 · 2019-07-05T07:38:03.000Z

Tested and confirmed this problem was due to bad documentation. Fixed documentation, see PR. Issue can be closed after merge.

Answer 4 · 2019-07-23T10:00:20.000Z

Thanks for updating the docs!