Response Headers don't overwrite cookies

[gabecoyne]

• set initial cookie before request
  page.driver.set_cookie("user_id", 1)
• controller sets cookies[:user_id] = 2
  visit "/change_user?user_id=2"
• this passes - the right headers were sent back by rails app
  page.response_headers["Set-Cookie"].match("user_id=2").should_not be_nil
• this fails, user_id cookie is still 1
  page.driver.cookies["user_id"].value.should == 2

[route]

I'd like to know you opinions here guys @jonleighton @yaauie
First off this test fails:

it 'can overwrite cookies' do
  @driver.set_cookie 'capybara', 'initial'
  @session.visit('/set_cookie')

  @session.visit('/get_cookie')

  expect(@driver.body).to include('test_cookie')
end

with this:

Capybara::Poltergeist::Driver cookies support can overwrite cookies
Failure/Error: expect(@driver.body).to include('test_cookie')
expected "<html><head></head><body>initial</body></html>" to include "test_cookie"
# ./spec/integration/driver_spec.rb:474:in `block (3 levels) in <module:Poltergeist>'

Let me explain what the hell is going on here :)

For Safari:

1. If we set cookie with domain 127.0.0.1 in response headers it will be set with the same domain
2. If we set cookie with domain .127.0.0.1 in response headers it will be ignored

For PhantomJS

1. If we set cookie with domain 127.0.0.1 in response headers it will be set with '.127.0.0.1' domain
2. If we set cookie with domain .127.0.0.1 in response headers it will be set with '.127.0.0.1' domain

Every single cookie I tried to set with PhantomJS API was prepended with a dot or rejected if there was something wrong with domain name. Considering this rfc http://tools.ietf.org/html/rfc2109#section-4.3.2 PhantomJS behavior is fishy.

Further info about this concrete issue.

1. We call page.driver.set_cookie("user_id", 1) and cookie is set for '.127.0.0.1' domain
2. Controller sets cookies[:user_id] = 2 and cookie is set for '127.0.0.1' domain (because domain wasn't specified)
3. PhantomJS has cookies for both domains.
4. If we do request PhantomJS will send both cookies but on the server side we will have only one because of this https://github.com/rack/rack/blob/master/lib/rack/request.rb#L305 (Seems legit)

Thoughts?

[yaauie]

I agree that PhantomJS behaviour looks fishy, & I'm not sure of an immediate workaround on our end. Can you submit an issue over there & reference this one?

[route]

I don't have thoughts about workaround either :(

[jonleighton]

I've nothing in particular to add, I agree that this looks like a PhantomJS bug.

[route]

Could be webkit related stuff :( http://qt.gitorious.org/qt/qt/source/764f1a51209212b6fc60cef5c12e9748d06b57de:src/network/access/qnetworkcookie.cpp#L1000

No it's not [EDITED]

[route]

It appears I found the point causing this https://github.com/ariya/phantomjs/blob/master/src/qt/src/network/access/qnetworkcookiejar.cpp#L208 will try to open PR or issue and discuss the problem.

[aripollak]

Just wanted to leave a note here for anyone else trying to work around this problem - I was able to get the same functionality by setting a temporary cookie header manually. So to set a user id in a Rails signed session cookie:

def sign_in_as(user)
    session_key = Rails.configuration.session_options[:key]
    cookie_jar = ActionDispatch::Cookies::CookieJar.new(Rails.configuration.secret_token)
    cookie_jar.signed[session_key] = { value: { user_id: user.id } }
    signed_cookie = [session_key, Rack::Utils.escape(cookie_jar[session_key])].join('=')
    page.driver.add_header 'Cookie', signed_cookie, permanent: false
end

[luisico]

Hi, stumbled up this as well. My solution was to add the cookie with javascript (using jquery-cookie in this case), which does not prepend the leading period:

page.execute_script %Q{ $.cookie('mycookie', 'true'); }

[siboulet]

ariya/phantomjs#13409