Zrok seems to silently drop request cookies which have JSON values

Hi, have just started with zrok and was trying to get openobserve shared but found the login fails due to its cookie not being received.

The POST response that sets the cookie makes it to the browser and on the next GET request the browser shows that it sent the cookie but it doesn't show as being received when in debug, in the caddy log or in a packet capture.

The openobserve cookie format looks like this:

auth_tokens={"access_token":"Basic YmxhaEBibGFoLmJsYWg6YmxhaA","refresh_token":""};

Have also been able to get it working using caddy by modifying the cookie on way down and correcting it on way back up:

#change to: auth_tokens=YmxhaEBibGFoLmJsYWg6YmxhaA
header_down Set-Cookie (.*?)(?:{"access_token":"Basic\s)(.*?)(?:","refresh_token":""})(.*) "$1$2$3"

#change back to: auth_tokens={"access_token": ..}
header_up Cookie (.*?auth_tokens=)(.*?)(\;.*|$) "$1{\"access_token\":\"Basic $2\",\"refresh_token\":\"\"}$3"

Just wondering if anyone else has noticed this and if it's expected or is this a bug?

UPDATE Seems it may be the quotes in the cookie value causing the problem.

Hi @SteveA, welcome to the community and to zrok! (and OpenZiti and Browzer),

If the quote is causing issues, is the quote escaped? Could you HTML escape the cookie maybe?

%22Your%20Cookie%20Here%22

It's possible that the WAF is somehow munging the cookie too, I'm not well-versed with how that's setup but I can try to ask someone to check/try

Hi @TheLumberjack

Looking at the packet capture the quotes aren't escaped so will have a crack at doing that in caddy and let you know.

Tried the HTML escapes but didn't seem to help.

Did find a simpler caddy rewrite I could use though:

header_down Set-Cookie (?:["]) "'"
header_up Cookie (?:[']) "\""