Impact
In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.
However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.
This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.
Patches
It's fixed in 0.1.0
Workarounds
If you insist 0.0.1:
- Do not use
ForwardHttpProxy at all.
- Do not use
ReverseHttpProxy or ReverseWebSocketProxy for any servers that may potentially send a set-cookie response.
However, it's best to upgrade to the latest version.
References
fixed in #10
Impact
In the implementation of version
0.0.1, requests from different user clients are processed using a sharedhttpx.AsyncClient.However, one oversight is that the
httpx.AsyncClientwill persistently store cookies based on theset-cookieresponse header sent by the target server and share these cookies across different user requests.This results in a cookie leakage issue among all user clients sharing the same
httpx.AsyncClient.Patches
It's fixed in
0.1.0Workarounds
If you insist
0.0.1:ForwardHttpProxyat all.ReverseHttpProxyorReverseWebSocketProxyfor any servers that may potentially send aset-cookieresponse.However, it's best to upgrade to the latest version.
References
fixed in #10