tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/3988-arachni-not-using-session-cookiesArachni: Discussion 2018-10-19T07:41:47Ztag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-06T19:34:32Z2016-04-06T19:34:32ZArachni not using session cookies?<div><p>Any chance the cookies are set with a subdomain like
<code>www</code> and the URL you're passing to Arachni doesn't have
it? Or vice versa?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-06T21:08:48Z2016-04-06T21:08:48ZArachni not using session cookies?<div><p>The cookies are set to the full domain of the target URL.</p>
<p>Example:</p>
<p>Target URL = <a href="https://appname.cloud.com/user/home">https://appname.cloud.com/user/home</a><br>
Cookie domain = appname.cloud.com</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-06T21:10:41Z2016-04-06T21:10:41ZArachni not using session cookies?<div><p>I'm not aware of any issues with that option, would you mind
sending me the details at tasos[dot]laskos[at]gmail.com so that I
can have a look?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-06T23:47:39Z2016-04-06T23:47:39ZArachni not using session cookies?<div><p>Check your email.</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-07T06:15:30Z2016-04-07T06:15:30ZArachni not using session cookies?<div><p>I found the issue.</p>
<p>I was able to proxy the Arachni requests through Burp, and
noticed the size of the request was different than the request made
in curl with the same headers.</p>
<p>A string comparison showed the session and XSRF cookies were
different.</p>
<p>In the cookie-jar, the session and XSRF cookies are URL encoded.
When passing the cookie-jar to Arachni, it URL encodes the cookies
so essentially double URL encodes the session cookie.</p>
<p>For example:<br>
pTZ%2FwseH5%2BNCRYKi63blY5GK6EwGPzB6%2B%2FMjE%2FqBktZtsn%2F6lamjlWlu5t2Tzj8iedJvIvIhBX4f7mrZhWuBkw%3D%3D</p>
<p>becomes...</p>
<p>
pTZ%252FwseH5%252BNCRYKi63blY5GK6EwGPzB6%252B%252FMjE%252FqBktZtsn%252F6lamjlWlu5t2Tzj8iedJvIvIhBX4f7mrZhWuBkw%253D%253D</p>
<p>This creates an invalid token, and hence the redirect to the
login page.</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-07T12:56:00Z2016-04-07T13:26:04ZArachni not using session cookies?<div><p>Thanks for the info, I think I've fixed the issue and I'm now
running the test suite to make sure I didn't break anything.<br>
If all goes well I'll push a nightly for you to test and let you
know once it's up.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-07T18:58:30Z2016-04-07T18:58:30ZArachni not using session cookies?<div><p>Give them a try: <a href="http://downloads.arachni-scanner.com/nightlies/">http://downloads.arachni-scanner.com/nightlies/</a></p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-07T20:52:56Z2016-04-07T20:52:56ZArachni not using session cookies?<div><p>OK. About to download and test it now.</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/395834422016-04-07T22:23:13Z2016-04-07T22:23:13ZArachni not using session cookies?<div><p>I tested with the nightly, and it seems to no longer URL encode
cookie values that are already URL encoded.</p>
<p>This can be closed.</p></div>Frank