Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp cant handle same-name cookies set to different paths

ParanoidAndroid | Last updated: Feb 03, 2017 04:18AM UTC

Just chiming in to add another vote for fixing cookie jar handling for cookies with the same name but differing paths. In my case, two different sessionId cookies at root (/) and one at a subdirectory (/service/). Both are necessary for the call. Repeater seems to be adding the first one it encounters in the cookie jar. http://forum.portswigger.net/thread/1110/burp-handle-cookies-different-paths

PortSwigger Agent | Last updated: Feb 03, 2017 08:41AM UTC

Are you using the latest version of Burp (1.7.17)? We recently fixed a bug relating to handling of multiple cookies with the same name. If you're still seeing a problem with the latest release, please let us have the details including the relevant Set-Cookie headers and a screenshot of Burp's cookie jar, thanks.

Burp User | Last updated: Feb 22, 2017 06:59PM UTC

This looks familiar. With version 1.7.17 when using session rules and the cookie jar, if you have two cookies with the same name, but set to diferent scopes, (lets say / and /foo), burp somehow assumes that / has an higher "privilege" than /foo, and so it send the cookie that was scoped to /. If cookie jar had an option to "move up" "move down" i think that would solve the problem, or ultimately, the session rules engine, be able to send all the cookies in the jar, and not only the first match.

PortSwigger Agent | Last updated: Feb 23, 2017 09:17AM UTC

Thanks for this. It appears that browsers do support multiple cookies with the same name at different nested paths, e.g. / /foo/ /foo/bar/ When this occurs, they select the cookie for the deepest matching path. We'll get Burp updated to behave in the same way in this situation.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.