Prestashop: Duplicate cookies set

Created on 23 Jul 2019  路  8Comments  路  Source: PrestaShop/PrestaShop

Issue detail
The application attempted to set the following cookie to multiple values:

PrestaShop-71ac61b434afc5fbf53e2316aae30bb2

Host: http://127.0.0.1
Path:聽聽/prestashop/login

To Reproduce
Steps to reproduce the behavior:

  • Go to Login page
POST /prestashop/login?back=my-account HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://127.0.0.1/prestashop/login?back=my-account
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close
Cookie: PrestaShop-71ac61b434afc5fbf53e2316aae30bb2=def5020038e55f8cb6a00372afd032641efd6d3ee89169a0789f6f73e11e5e9f5902603752058cf62ce7362964bd524fe9429c0aca45b7987e2a0d496483288eacfe670ce9a2a596536b11934b17c9861e48cf94e62c741672e5b11795b700666ba1a19fc39352cee808f09a4020c6de78a8bdf4d3e27b6caeaba040824b4e4e5b7e2685975ca4a3fd6ccd17d601f8cb0dfccad0a2414a2697a493063c08ab2f1b4634034fd9eb6ec37124345d1936ec9ba7a8ebf1b605b3c3d9e9d9881a9f8d2960019d0171720f8a961f15accf11c64bb8556977140e210c675367cd4cbd2ace0230fa2217c66931a039ae089e2f4aa30708131772f0; XSRF-TOKEN=eyJpdiI6Ijg0VHA5XC9aNjdKRGw5UWhtSUtZSVRnPT0iLCJ2YWx1ZSI6IjRvNGpDV2s2ZklaT2RYNWxHenJYUU9XNEJsN2J3WUh2TTFzSmNHWE5LV3NEOFlsWHhpYzN4TmVnS09QNDExSDkiLCJtYWMiOiI0MmRiNDc3YmMxYTk3Y2JjMzIzMzRmZDdmY2EyNDQxNDRhMzJhZWIwZWRiMTM1ODI2Nzg0YmJlOTI5ZTBhZjIxIn0%3D; 
Upgrade-Insecure-Requests: 1

back=my-account&email=hello%40mail.com&password=%23helloDemoRoot%23&submitLogin=1
  • You will get response while you intercept the request
HTTP/1.1 302 Found
Date: Tue, 23 Jul 2019 10:12:57 GMT
Server: Apache/2.4.33 (Win32) OpenSSL/1.1.0h PHP/7.2.6
X-Powered-By: PHP/7.2.6
Set-Cookie: PrestaShop-71ac61b434afc5fbf53e2316aae30bb2=def502003ea31af81c8fb1e0ed88b45da5b19761583dbf21a1ff4d65e11e050ff148dc92c213b61cccbb5168ef7ed1d2be2196136885fc51eab61a5cd6c30694ec9b885045307d33ec4dbc47edc73475c86bc0201dd339268c8099a4f4d4b8f226b05dfec057fb0f6891a7e012dc71d35fad4b4daab0d997716c60023a839f34498dcf881dd426d4d4b5e3cd6e8708316d44ab1abe58f768d9d2d328c79dc2d21ebfb3de605d997016c14c19e0debfd80c5fd33322c7c53a0a0a55f6a9fa197548b3be23d53004fff3cac83bca52ea66d8d97400857abbffc4b18b4f731656b782edf747654057ca7c35d31930a7f1728a62790634ea156d376636e525d23b720503e387cef9af929cb8a45a6b584a5a73a88d9f8cb10212f294d8d0306465881fd17af05ba5b3de23b2a9a6c6ab65cf72267674e43903450c8cd19f3a4cff7376ec822c659131f3f000e441cc4b657f1796aeb0fe1c85a691ca5762bfa307cfabb0c8277739351b31b1432f05f599c4fecf3837a934d50040625cf69b4dd75b953b57f2eb73ee97a8ee8eaecffdaa2dfd516adfdb160e373049df5f484e2db42bd310169649acc4a051f9168c35357a040411788ac58e7f2e27; expires=Mon, 12-Aug-2019 10:12:57 GMT; Max-Age=1727999; path=/prestashop/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://127.0.0.1/prestashop/my-account
Set-Cookie: PrestaShop-71ac61b434afc5fbf53e2316aae30bb2=def502007f312cfc5e84f13495cb880dfd16e8667917dddcfbc046a85ed7aa018f6b453a79adf2c240e9fea421502181a258afd8d22c22b166b1b2dd73773273459bf024ae6bc272f8db7b65ecb7c5021f9c0426080f3f5d178021791e6b2016561cfe06629ebdec4dea12afd0d722060d96c1ebf0938d4a5a3ad7480d1f3b979e557f1be2c20a73a0aa4ec0fcd3ff09560cff4322f5df683e33ff7f94ed48384960ac10301aba1cfe81fdc420b94f9f9d622f5f0ec8086b9402a04ae13a858c0830ceb5a4389aec46e8d8f274bc859cedaa9a75594f4540bba796cdae2122695b4fc345b242230dbff17204d27860fb47263013d06bb178624aaefdd75119451b87ba578307a84621394f4e7eb0e10ecdfc06c2407c59d35ef584d94e1f76d4db903a3e64097d02117798272a5db48a749e3eb602d3b2035bd61d2f30a65026e4aeff55f82eb9a989d20967e3115a679ecb9d99d45cec4b6fe8770944962cdab344533d2535c92522a377bad3f93207b6232c902e182a7c72c4800dbc9c87070a81a5006e75e18bff0facfb9dcc0d52d7a21842805bf1b95fd978cb05adb7119f28843e7165f4d3e7df3746073e87eaa0f58ac53cf69775; expires=Mon, 12-Aug-2019 10:12:57 GMT; Max-Age=1727999; path=/prestashop/; HttpOnly
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • As you can see in this response that there is multiple PrestaShop-71ac61b434afc5fbf53e2316aae30bb2 cookie

Issue background
The response contains two or more Set-Cookie headers that attempt to set the same cookie to different values. Browsers will only accept one of these values, typically the value in the last header. The presence of the duplicate headers may indicate a programming error.
Vulnerability classifications
CWE-16: Configuration -> https://cwe.mitre.org/data/definitions/16.html

Additional information
PrestaShop version: 1.7.6

1.7.5.2 1.7.6.0 Bug FO To Do Trivial
Source
picture rudSarkar

Most helpful comment

I can understand i am trying to find out the point, Once i got the point i will PR.

Thanks for response @khouloudbelguith 馃榿

picture rudSarkar on 23 Oct 2019
👍2

All 8 comments

Hi @rudSarkar,

Thanks for your report.
I have the same issue with PS1.7.6.0 & PS1.7.5.2.
With PS1.7.6.0

Request URL: http://projet/QA/ps1760lastone/index.php?controller=authentication&back=my-account
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.1.1:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 6529
Content-Type: text/html; charset=utf-8
Date: Tue, 23 Jul 2019 13:17:42 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=cs3vp1jnnlojeimbhlvrlgoa43; path=/
Set-Cookie: PrestaShop-71ac61b434afc5fbf53e2316aae30bb2=def50200412bf8ceca1c5bbf883fcecddf5306cd64d15444056a5546f7bfaa23c80d568da9027f2f07adf730354ad1be807abe79a2124369d44d7516ad80bddef8a3935a1511dc81bd371c32be394daae23ee67c18ea098725280bae3f0016aa388536c05303a43faabf81e824f33641999ba06f5106c0805cc03cffed5ebe243de033e339ae0e83dd65b6c4a2b1538b0cb7dcb9eefef0e735bcd67d9404df; expires=Mon, 12-Aug-2019 13:17:42 GMT; Max-Age=1728000; path=/QA/ps1760lastone/; HttpOnly
Set-Cookie: PrestaShop-71ac61b434afc5fbf53e2316aae30bb2=def50200487066951ffe3f7fdc25c5c9522362f3901ed5528f362654a0c4b0de7bd24c286fabd4c24cd57b84dd30da68be4dfe570a5517c93cb4fedcfad0c9cf0f97ce55ba612d8e46170d09d728a5f8df25238d2793dec46a0e737d27107da1939687544bd40364bd8aadb9e4580c87c205a2b4f1f4858ce7a7547029ba5218793f4edeffe702fda987b72196ea051a529cb18f1c329407f01b1507c59cbe3ac5447beba939cdd4e51d8e58d8602025c6012941732ab97852b7ee7d13; expires=Mon, 12-Aug-2019 13:17:42 GMT; Max-Age=1727999; path=/QA/ps1760lastone/; HttpOnly
Vary: Accept-Encoding

With PS1.7.5.2, I have this:

Request URL: http://projet/QA/ps1752/index.php?controller=authentication&back=my-account
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.1.1:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 6341
Content-Type: text/html; charset=utf-8
Date: Tue, 23 Jul 2019 13:17:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Powered-By: PrestaShop
Pragma: no-cache
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=uskmbcgkupb35ho1vjrb9ftq50; path=/
Set-Cookie: PrestaShop-8a246ba6759ea1df3bcf0712401f968f=def5020002a611ad157b2526c5db5dcf46802d0d21ad6f7c13495921df25f060b038fef9e12fbaa40016734242aa47ab19fb9cd26f534ef48aa08dacdd175bce75bce6bc6d10d8aa59e74977412e14a486d913edf8fc88cdca2b270f19c2b6dff41793cb7cdee800c44d793f6bbd2300f817150f6c9e32120e918222c633405a719b0b89454b66fae4003a65d5f6e302b99728761e86195083ed65ee0718cd; expires=Mon, 12-Aug-2019 13:17:57 GMT; Max-Age=1728000; path=/QA/ps1752/; HttpOnly
Set-Cookie: PrestaShop-8a246ba6759ea1df3bcf0712401f968f=def50200a16d19d3336a2a16cebf3c9e8dec7ea83da4b4c78f27d9fb96aa73c4839dc17d3b0485a90987b95b189b1a9be94cabe4e1d0b1e1acc8f04e6eae7022eaf693994c8ca3fd76fecb00c66ba88437f1610bbd18ec24870330156f139882dbeefadc7c64aee00614e9bf451e33e685e2a3a7eed01bbacccec58d08e5a8dc7bd1e6416d9e259d22dec6f7aeb4ee2933d1197c98e785af3f9cbac298a11e01fdfac7568b4dc0e4d660f4; expires=Mon, 12-Aug-2019 13:17:57 GMT; Max-Age=1728000; path=/QA/ps1752/; HttpOnly
Vary: Accept-Encoding

I鈥檒l add this to the debug roadmap so that it鈥檚 fixed. If you have already fixed it on your end or if you think you can do it, please do send us a pull request!
Thanks!

khouloudbelguith picture khouloudbelguith on 23 Jul 2019
👍1

Hi @khouloudbelguith ,

I don't have any fix for this, can you please open a ticket on PrestaShop code debugger team to fix this.

Thanks,
@rudSarkar :electron:

rudSarkar picture rudSarkar on 23 Jul 2019

@rudSarkar, I just added this issue to our bug roadmap.

Thanks!

khouloudbelguith picture khouloudbelguith on 24 Jul 2019
1

Alright let me know when it Fixed.

rudSarkar picture rudSarkar on 24 Jul 2019

Any news on that point as we face sam issue with 1.7.5.2 PS version - October 23th

Jan-andlv picture Jan-andlv on 23 Oct 2019
👍1

I think not fixed yet! @khouloudbelguith Can you please give a update about it?

rudSarkar picture rudSarkar on 23 Oct 2019

Hi @rudSarkar,

Sorry no, it is not fixed yet.
There are some major issues to solve before this one.
But PrestaShop is an open-source project, so it can be solved before if someone submits a pull request to solve it.

Thanks for your understanding!

khouloudbelguith picture khouloudbelguith on 23 Oct 2019
👍1

I can understand i am trying to find out the point, Once i got the point i will PR.

Thanks for response @khouloudbelguith 馃榿

rudSarkar picture rudSarkar on 23 Oct 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChineseNorris picture ChineseNorris  路  64Comments
prestonBot picture prestonBot  路  62Comments
MockoB picture MockoB  路  50Comments
wewew85 picture wewew85  路  76Comments
krasnycz picture krasnycz  路  52Comments