The other day I got a strange warning in my client after sending requestse to twitter:
2018-01-12 02:32:50,162 WARN o.a.h.c.p.ResponseProcessCookies:130 - Invalid cookie header: "set-cookie: guest_id=v1%3A151572431977858379; Expires=Sun, 12 Jan 2020 02:31:59 UTC; Path=/; Domain=.twitter.com". Invalid 'expires' attribute: Sun, 12 Jan 2020 02:31:59 UTC
The format is correct, so in the end it's a http client misconfiguration, but that leaves me with the question: why would a RESTful API send cookies?
These appeare to be the tracking cookies of twitter, so what use are they in a RESTful context? Does twitter want to set the cookie if invoked through XMLHttpRequest (rather than server-side), or is it a generic "set cookie" filter that they've mistakenly applied to API endpoints as well?
The question is not just about twitter, but un general about RESTful APIs.
Below is an excerpt from the raw response:
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1; mode=block; report=https://twitter.com/i/xss_report
Tue, 31 Mar 1981 05:00:00 GMT
Fri, 12 Jan 2018 17:45:03 GMT
personalization_id="v1_/3EYpbQnCe+vnjhnBUew=="; Expires=Sun, 12 Jan 2020 17:45:03 UTC; Path=/; Domain=.twitter.com
guest_id=v1%3A1515770330954116; Expires=Sun, 12 Jan 2020 17:45:03 UTC; Path=/; Domain=.twitter.com