Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Double cookie header created by session handling rule

Thomas | Last updated: Apr 17, 2024 05:18PM UTC

If you create a session handling rule to either add or update a cookie value for requests in some scope, it does not work as expected. The setup is: * a enabled session handling rule; * with any given scope; * a "set a specific cookie or parameter value" action rule; * this rule specifies a cookie name and value. If the request does NOT have ANY cookie (header), "if not already present, add as" is checked and the dropdown is set to "cookie": a cookie header is set, with the specified cookie added - expected. If the request does NOT have ANY cookie (header), "if not already present, add as" is unchecked: no cookie header is set - expected. If the request has a cookie (header) but not the expected cookie name, "if not already present, add as" is checked: a second cookie header is added with the configured cookie - NOT expected. If the request has a cookie (header) but not the expected cookie name, "if not already present, add as" is unchecked: no cookie value is added - expected. If the request has a cookie (header) and the expected cookie name, the checkbox became irrelevant: the cookie value is updated - expected. Expected fix: update the existing cookie header instead of adding a secondary cookie header with the configured cookie.

Michelle, PortSwigger Agent | Last updated: Apr 18, 2024 03:05PM UTC

HI Thanks for getting in touch. We have raised a feature request to improve this. I can't make any promises at this stage as this will need to be prioritized against other bugs and features.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.