Bug in handleCommandResponse()

Submitted by Si1ver on 2009-04-03

I have installed WebIssues Server 0.8.4 on my site, installed WebIssues Client 0.9.4 on my pc.
When I try to login, client said "300 login required".

There was hothing about this issue on forums, only that node but problem was not solved there.

I used Wireshark to find out what happend.

First, client sent to server
HELLO
Server anwered
SERVER 'WIServer' '4d3c9063-bcfc-436a-9261-fe2469cb6d3d'
and set up two(!) cookies.

Set-Cookie: WebIssuesSID=76cec8458dc38e896a5e6e476db94c17; path=/
Set-Cookie: Apache=xx.xx.xx.xx.398971238761915918; path=/; expires=Sat, 03-Apr-10 12:31:55 GMT

(i replaced ip to xx.xx.xx.xx)
That's ok.

In next step client send login request to server
LOGIN 'admin' 'admin'
And send cookie, but only one of two that was reseived
Cookie: WebIssuesSID=76cec8458dc38e896a5e6e476db94c17; path=/
That's not good, because server didn't found apache cookie and with answer
USER 1 2
returned new apache cookie (it's impossible on my hosting to config apache not to open that session)
Set-Cookie: Apache=xx.xx.xx.xx.40732123876191642; path=/; expires=Sat, 03-Apr-10 12:31:56 GMT

Next, client send request
LIST FEATURES
but with last reseived cookie only
Cookie: Apache=xx.xx.xx.xx.40732123876191642; path=/; expires=Sat, 03-Apr-10 12:31:56 GMT
So we have no WebIssues php session that we are logged in. And so we get err 300 incorrect login.

Problem in than server sent two cookies instead of one (as supposed), and client incorrectly send them back to server (only first of them).
Once again. We get

Set-Cookie: WebIssuesSID=76cec8458dc38e896a5e6e476db94c17; path=/
Set-Cookie: Apache=xx.xx.xx.xx.398971238761915918; path=/; expires=Sat, 03-Apr-10 12:31:55 GMT

And return
Cookie: WebIssuesSID=76cec8458dc38e896a5e6e476db94c17; path=/
Within something like this:
Cookie: WebIssuesSID=76cec8458dc38e896a5e6e476db94c17; Apache=xx.xx.xx.xx.398971238761915918

That is because function handleCommandResponse() in scr/commands/commandmanager.cpp incorrectly parses the "Set-Cookie" fields in response.

So, we need to get sessions from all "Set-Cookie" fields in response. For example, we can get all strings with allValues, truncate all text after first semicolon (with semicolon) (if it present) and join strings with "; ".
(session always plased before first ";", does it?)

Here is the way to fix it (placed on line 338 in scr/commands/commandmanager.cpp):

// Comment next three lines.
//    QString cookie = response.value( "Set-Cookie" );
//    if ( !cookie.isEmpty() )
//        m_cookie = cookie;

// Place that right after old commented code
    QStringList cookies = response.allValues( "Set-Cookie" );
    if ( !cookies.isEmpty() ) {
        int index_of_semicolon;
        for ( int i = 0; i < cookies.size(); i++ ) {
            if ( (index_of_semicolon = cookies[i].indexOf( ";" )) != -1 ) {
                cookies[i].truncate( index_of_semicolon );
            }
        }
        m_cookie = cookies.join( "; " );
    }

We will get correct cookie string to send to server and clien will work correctly.
I've had never work with QT, so I don't know how to do it with the best way. Anyway that need to be tested.

I hope that was good idea to post that solution and you're wouldn't be angry with me.
Sorry for my poor english.

Regards,
Anton Vasiliev.

You're right, the code handling cookies in the client is not correct. It works as long as there is only one cookie so I never fixed it. Thanks for analyzing the problem and for sending the patch. I will fix this in the next version.

Regards,
Michał