remember_cookie from /api/auth/from-session and xf_user cookie


Affected version
xf_user cookie has urlencoded comma value stored (i.e. 'n%2Cnnnnnnnnn...' instead of just 'n,nnnnnn....'), thus making /api/auth/from-session failing when passing that value as is.

I had to look through the /api source code in order to understand what is wrong and why it did not like my valid xf_user cookie.

Would expect API to do urldecode() of remember_cookie param on its own before running all the checks, otherwise it just fails in XF/Repository/UserRemember.php(36) at:
if (!$cookie || !is_string($cookie) || !strpos($cookie, ','))

-because there is no comma in the cookie, but '%2C' 🤷‍♂️

How are you passing the value through? I use this endpoint in our WordPress integration and when it's available to me in PHP reading from $_COOKIE it's decoded.
I look in my browser for the cookie value and just copy it as remember_cookie param value (cURL request, postman, etc). Cookie has comma as %2C, while API expects raw comma.
That's probably the issue then, when you use it programmatically it will be in the correct format. Just change the %2C to a , in Postman if you're just manually copying it.
Ok, I have just realized that content-type: application/x-www-form-urlencoded I guess assumes to hold exactly urlencoded() values, so %2C is fully legitimate to use instead of comma. Thanks for clarification!
Top Bottom