I want to get the session cookie of a website. Unfortunately the “Set-Cookie”-Header doesn’t show up.
Here’s the code I’ve written:
“commands” is a String[][] and the whole code is wrapped by try/catch.
CookieStore cookieStore = new BasicCookieStore();
HttpContext localContext = new BasicHttpContext();
localContext.setAttribute(ClientContext.COOKIE_STORE,cookieStore);
HttpPost httppost = new HttpPost(url);
List<NameValuePair> nvps = new ArrayList<NameValuePair>(0);
for (int i=0;i<commands.length;++i)
nvps.add(new BasicNameValuePair(commands[i][0],commands[i][1]));
httppost.setEntity(new UrlEncodedFormEntity(nvps,HTTP.UTF_8));
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
Header[] headers = response.getAllHeaders();
List<Cookie> cookies = cookieStore.getCookies();
String data = EntityUtils.toString(entity);
My understanding of Http Communication tells me that there should be a “Set-Cookie” Header. The only Headers I get from response.getAllHeaders() are Connection:close, X-Powered-By:PHP/4.3.4 and Content-Type:text/html
There is a bit of javascript included in the returned data (response.getEntity()).
<script language = "javascript">
<!--
location.href="/index.php";
function SetCookie(name,value,expire,path){
document.cookie = name + "=" + escape(value) + ((path == null) ? "":(";path="+path))
}
var iad = 461180104
SetCookie("iad",iad,0,"/")
-->
</script>
As far as I understand this, this code is never executed because it’s just a comment ?!
But as well this is probably the bit where the cookie should be created.
Any ideas?
UPDATE:
“Opera Mobile” is the only browser for Android I found which has no problem with cookies on this site. “Opera Mini”, “Dolphin HD” and the Froyo Stock browser all fail. No Desktop browser has problems connecting. Is this a webkit issue? And if this is the case: how to avoid it?
Using Chrome’s developer tools or Firebug, check the HTTP response for the “expires” parameter in the Set-Cookie header field. Make sure the time / date settings on the phone are set correctly. If the browser thinks the cookie is already expired, it won’t store it.
If that doesn’t work try using wireshark / tshark to grab a trace of the communication from your client, and compare it to a browser that’s working the way you expect it to.
By the way, the comment delimiters around that bit of Javascript don’t prevent the script from being run; they just prevent older (really old) browsers from trying to render the script in the document. That cookie (“iab”) doesn’t look like the cookie for authentication. There’s likely an http-only cookie with a session identifier; you should be able to see it using the aforementioned Firebug / Dev tools.