Summary:ASTERISK-21789: ast_http_get_cookies() fails in the presence of RFC2965 Cookie2 header
Reporter:Stuart Henderson (sthen)Labels:
Date Opened:2013-05-16 15:53:48Date Closed:2013-07-20 22:11:01
Status:Closed/CompleteComponents:Core/HTTP Core/ManagerInterface
Versions:11.4.0 Frequency of
Environment:OpenBSD 5.3-current, amd64 (but not relevant to issue)Attachments:
Description: When sending cookies, some HTTP clients (for example the version of Apache Commons HttpClient used in railo 4.x) normally send an RFC 2965 Cookie2 header:

Cookie: mansession_id="e071e431"
Cookie2: $Version="1"

This was recently deprecated by RFC 6265 but is still seen in the wild. Unfortunately ast_http_get_cookies() in http.c does this:

if (!strncasecmp(v->name, "Cookie", 6)) {
       char *tmp = ast_strdupa(v->value);
       if (cookies) {  

       cookies = parse_cookies(tmp);

i.e. only compares the first 6 characters, and because the Cookie2 header appears after the Cookie header, destroys the previously saved cookies. As a result Asterisk doesn't pick up the authentication cookie and so AMI fails as it thinks the request is not authenticated.
Comments:By: Stuart Henderson (sthen) 2013-06-04 06:23:21.256-0500

Unless I'm mistaken this is as simple as just using strcasecmp instead of strncasecmp isn't it? v->name is just "Cookie", no trailing : etc.

By: Stuart Henderson (sthen) 2013-07-09 08:50:26.829-0500

s/strncasecmp/strcasecmp/ has been working for me for the last month.

By: Matt Jordan (mjordan) 2013-07-20 22:11:12.497-0500

Worked for me as well. Thanks for pointing out a solution!