Double Set-Cookie: PHPSESSID in http response

Question

I am writing an application that will autocomplete a form on a website;(in Java)

The user must be logged in to do this, and this is where the issue appears: this is a chunk of the response to the login request:

Set-Cookie: PHPSESSID=3fvr31tb3c1iplpi3vqpvloar3; path=/; domain=.bursatransport.com

Set-Cookie: PHPSESSID=eanaj1d9egd73uiome0jtsed43; path=/; domain=.bursatransport.com

As far as I have tested it, the last one is the correct one(I tested it by changing the PHPSESSID cookie in the browser)

My application retains the first cookie. As a result, when submitting a form, it behaves as if the user would not be logged in. Sometines it retained the last cookie, but it did not succesfully submit the form(the same as before).

Here is my login code:

String query = String
            .format("returnTo=/&Login[username]=%s&Login[password]=%s&Login[rememberMe]=0&yt4=",
                    URLEncoder.encode(name, charset),
                    URLEncoder.encode(password, charset));
    CookieManager manager = new CookieManager();
    manager.setCookiePolicy(CookiePolicy.ACCEPT_ALL);
    CookieHandler.setDefault(manager);
    URLConnection mycon = new URL(url).openConnection();
    mycon.setDoOutput(true);
    mycon.setRequestProperty("Accept-Language", "ro-RO,ro;q=0.8,en-US;q=0.6,en;q=0.4");
    mycon.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    mycon.setRequestProperty("Accept-Charset", charset);
    mycon.setRequestProperty("Content-Type",
            "application/x-www-form-urlencoded;charset=" + charset);
    OutputStream output = null;
    output = mycon.getOutputStream();
    output.write(query.getBytes(charset));
    mycon.getContent();

This is for sure not a server issue, since it responds correctly to browser requests(I am listening to them with fiddler)

Answer 1

I solved the problem(even if i still don't know the roots of it).

The response contained 2 "Set-Cookie" headers because(this is not your most consistent reason) my request did not contain a PHPSESSID cookie; So I changed the code, so that it would first get the login page(with no login data). The response to this request set's a PHPSESSID cookie(but I am not logged in)

Then I send my login request (which now contains a PHPSESSID cookie) and, boom, it works.

here is the code:

    CookieManager manager = new CookieManager();
    CookieHandler.setDefault(manager);
    URLConnection mycon = new URL(url).openConnection();
    mycon.getContent();
    String query = String
            .format("Login[username]=%s&Login[password]=%s&Login[rememberMe]=0&yt4=",
                    URLEncoder.encode(name, charset),
                    URLEncoder.encode(password, charset));
    mycon = new URL(url).openConnection();
    mycon.setDoOutput(true);
    mycon.setRequestProperty("Accept-Language", "ro-RO,ro;q=0.8,en-US;q=0.6,en;q=0.4");
    mycon.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    mycon.setRequestProperty("Accept-Charset", charset);
    mycon.setRequestProperty("Content-Type",
            "application/x-www-form-urlencoded;charset=" + charset);
    OutputStream output = null;
    output = mycon.getOutputStream();
    output.write(query.getBytes(charset));
    output.close();
    mycon.getContent();
    mycon.getInputStream().close();

This the post that "opened my eyes": Java: Handling cookies when logging in with POST