Chromium Embedded Framework Forum

[Staxcelrom]

Hello,

I'm trying to change or remove cookies in request headers via OnBeforeResourceLoad:

Code: Select all

virtual CefResourceRequestHandler::ReturnValue OnBeforeResourceLoad(CefRefPtr<CefBrowser> browser, CefRefPtr<CefFrame> frame, CefRefPtr<CefRequest> request, CefRefPtr<CefCallback> callback) override
{

CefRequest::HeaderMap headerMap;
(*request).GetHeaderMap(headerMap);

std::string my_first;
std::string my_second;
std::string my_find_phrase = "cookie";

for (auto& i : headerMap)
    {
         my_first = i.first.ToString();
         my_second = i.second.ToString();

   
            if (my_first.size() == my_find_phrase.size())
            {
                                              int cntr = 0;

               for (int z = 0; z < my_find_phrase.size(); z++)
               {
                  if (my_first[z] == my_find_phrase[z] || my_first[z] == my_find_phrase[z] - 32)
                  {
                     cntr++;
                  }
               }

               if (cntr == my_first.size())
               {
                  i.second = "cookie_bla_bla";
               }
            }

               (*request).SetHeaderMap(headerMap);
    }

}

Well, that is, I'm looking for a header called Cookies in the headerMap and changing its value to non-existent.

And everything is replaced perfectly, the Cookie value changes - I see it in GetResourceResponseFilter - that is, I see it in the request object after the request has been made, the cookies have been changed.

But here's the problem: I intercept cookies and change them to non-existent ones, but the site that I load still sees my authorization, the site somehow understands who I am. That is, the CEF browser somehow still sends the site information about "who I am", but in the http request headers there are no more headers in which such information could be send.

Maybe you can suggest how this can happen?

[HarmlessDave]

Are you sure the headers are 100% clean? Did you turn on developer tools to record the request?

If the headers are clean, could the site be looking at your IP address or using some "fingerprinting" scheme instead of cookies?

[Staxcelrom]

Here is what OnBeforeResourceLoad and GetResourceResponseFilter output:

Request:

Request_GetURL:http://some_site_forum
Request_GetReferrerURL:
Request_GetMethod:GET
Request_GetReferrerPolicy:0
Request_GetResourceType:RT_MAIN_FRAME
Request_GetTransitionType:

Request_vector_GetHeaderMap: Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Request_vector_GetHeaderMap: Accept-Language:ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Request_vector_GetHeaderMap: Cookie:cookie_bla_bla
Request_vector_GetHeaderMap: Upgrade-Insecure-Requests:1
Request_vector_GetHeaderMap: User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36

Response:

Response_GetCharset:utf-8
Response_GetMimeType:text/html
Response_vector_GetHeaderMap: cache-control:private
Response_vector_GetHeaderMap: content-encoding:gzip
Response_vector_GetHeaderMap: content-type:text/html; charset=utf-8
Response_vector_GetHeaderMap: date:Tue, 21 Jun 2022 05:46:24 GMT
Response_vector_GetHeaderMap: pragma:private
Response_vector_GetHeaderMap: server:ddos-guard
Response_vector_GetHeaderMap: set-cookie:cforig_cookieuser=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure
Response_vector_GetHeaderMap: set-cookie:cfsessionhash=e59f13677f46886b46fe96afeae8db67; path=/; HttpOnly
Response_vector_GetHeaderMap: set-cookie:cfdup_timestamp=1655790384
Response_vector_GetHeaderMap: x-powered-by:PHP/5.6.31

And the page that comes to this request already contains my authorization data.
I can't figure out how the site can identify me if there is no authorization information in the request.

Can CEF somehow still pass cookies or tokens bypassing requests?
Because if I remove all information from the &settings.cache_path, then in this case, authorization does not occur.

[magreenblatt]

Cookies need to be changed via CefCookieManager.

[Staxcelrom]

Cookies need to be changed via CefCookieManager.

Thank you!
But why would a direct change on the CefRequest object not want to work?

That is, I mean, what is the main difference between changing cookies in CefRequest or in CefCookieManager ?

[magreenblatt]

Cookies have special handling/behavior, and can also be accessed via JavaScript.

[Staxcelrom]

Please excuse my persistence.

But when I get the GetResourceResponseFilter callback - and when I get (*request).GetHeaderMap(headerMap);
And I see in the headerMap that: Cookies : cookie_bla_bla

This means that the CEF browser sent exactly these HTTP-headers, or is it not, and the CEF browser actually sent other HTTP-headers to the server ??

[Staxcelrom]

That is, I mean - if I change other http request headers in the same way, they will not actually be sent to the server either, and the CEF browser will send some of its own headers, but not the ones that I changed?

[magreenblatt]

After the request is sent the headers will not be changed, and the CefRequest contents should be accurate. Some specific headers (Cookie, Referer, etc) receive special handling and cannot/should not be modified via CefRequest.

[Staxcelrom]

After the request is sent the headers will not be changed, and the CefRequest contents should be accurate. Some specific headers (Cookie, Referer, etc) receive special handling and cannot/should not be modified via CefRequest.

But the problem is not that they should or should not be modified.

I modified them BEFORE sending the request in OnBeforeResourceLoad.

In GetResourceResponseFilter - I get confirmation that the request was sent with modified cookies.

If the CEF browser sent a request with my modified cookies (non-existent), then how does the server identify and authorize this request if I changed the cookies. Here's what I can't understand.

Can you explain this?