Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Double cookie header created by session handling rule

Thomas | Last updated: Apr 17, 2024 05:18PM UTC

If you create a session handling rule to either add or update a cookie value for requests in some scope, it does not work as expected. The setup is: * a enabled session handling rule; * with any given scope; * a "set a specific cookie or parameter value" action rule; * this rule specifies a cookie name and value. If the request does NOT have ANY cookie (header), "if not already present, add as" is checked and the dropdown is set to "cookie": a cookie header is set, with the specified cookie added - expected. If the request does NOT have ANY cookie (header), "if not already present, add as" is unchecked: no cookie header is set - expected. If the request has a cookie (header) but not the expected cookie name, "if not already present, add as" is checked: a second cookie header is added with the configured cookie - NOT expected. If the request has a cookie (header) but not the expected cookie name, "if not already present, add as" is unchecked: no cookie value is added - expected. If the request has a cookie (header) and the expected cookie name, the checkbox became irrelevant: the cookie value is updated - expected. Expected fix: update the existing cookie header instead of adding a secondary cookie header with the configured cookie.

Michelle, PortSwigger Agent | Last updated: Apr 18, 2024 03:05PM UTC

HI Thanks for getting in touch. We have raised a feature request to improve this. I can't make any promises at this stage as this will need to be prioritized against other bugs and features.

Michelle, PortSwigger Agent | Last updated: Oct 29, 2024 12:09PM UTC