Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp cant handle same-name cookies set to different paths

ParanoidAndroid | Last updated: Feb 03, 2017 04:18AM UTC

Just chiming in to add another vote for fixing cookie jar handling for cookies with the same name but differing paths. In my case, two different sessionId cookies at root (/) and one at a subdirectory (/service/). Both are necessary for the call. Repeater seems to be adding the first one it encounters in the cookie jar. http://forum.portswigger.net/thread/1110/burp-handle-cookies-different-paths

PortSwigger Agent | Last updated: Feb 03, 2017 08:41AM UTC

Are you using the latest version of Burp (1.7.17)? We recently fixed a bug relating to handling of multiple cookies with the same name. If you're still seeing a problem with the latest release, please let us have the details including the relevant Set-Cookie headers and a screenshot of Burp's cookie jar, thanks.

Burp User | Last updated: Feb 22, 2017 06:59PM UTC

This looks familiar. With version 1.7.17 when using session rules and the cookie jar, if you have two cookies with the same name, but set to diferent scopes, (lets say / and /foo), burp somehow assumes that / has an higher "privilege" than /foo, and so it send the cookie that was scoped to /. If cookie jar had an option to "move up" "move down" i think that would solve the problem, or ultimately, the session rules engine, be able to send all the cookies in the jar, and not only the first match.

PortSwigger Agent | Last updated: Feb 23, 2017 09:17AM UTC