Burp Suite User Forum

Create new post

Session handling rules - cookie not set for POST request

Lacy | Last updated: Aug 18, 2015 09:51PM UTC

I have set up a session handling rule that sends a certain cookie for all requests to a certain domain. What I have found however, is that that the cookie will be sent on all GET requests to the domain, but not sent with POST requests. Is this the intended functionality? Is there a way to force it to send with POST requests as well? I have tested that the cookie is being sent by using the Session Tracer. The Post requests do not show up in the handler and I have to edit them manually using the proxy tool in real time currently.

PortSwigger Agent | Last updated: Aug 19, 2015 09:56AM UTC

In our testing, Burp is sending cookies correctly for POST requests as well as for GET requests. If the POST requests are not even appearing in the sessions tracer, then we'd suggest you double-check your session handling rules and ensure that the requests concerned are in-scope for the rules you have configured.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.