introduce disable-cookie (#4292)

* introduce disable-cookie * remove debug statement * fix headless template * increase `-interactions-poll-duration` value to 5 * docs update --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2025-12-17 17:35:28 +00:00 · 2023-11-18 10:32:10 +03:00 · 2023-11-18 10:32:10 +03:00 · a9efb75d59
commit a9efb75d59
parent 34192ac359
16 changed files with 45 additions and 40 deletions
--- a/SYNTAX-REFERENCE.md
+++ b/SYNTAX-REFERENCE.md
@ -1390,12 +1390,12 @@ Valid values:

 <div class="dd">

-<code>cookie-reuse</code>  <i>bool</i>
+<code>disable-cookie</code>  <i>bool</i>

 </div>
 <div class="dt">

-CookieReuse is an optional setting that enables cookie reuse for
+DisableCookie is an optional setting that disables cookie reuse for
 all requests defined in raw section.

 </div>
@ -2881,12 +2881,12 @@ Fuzzing describes schema to fuzz headless requests

 <div class="dd">

-<code>cookie-reuse</code>  <i>bool</i>
+<code>disable-cookie</code>  <i>bool</i>

 </div>
 <div class="dt">

-CookieReuse is an optional setting that enables cookie reuse
+DisableCookie is an optional setting that disables cookie reuse

 </div>

--- a/integration_tests/protocols/http/raw-cookie-reuse.yaml
+++ b/integration_tests/protocols/http/raw-cookie-reuse.yaml
@ -1,6 +1,6 @@
 id: cookiereuse-raw-example
 info:
-  name: Test CookieReuse RAW Template
+  name: Test Cookie Reuse RAW Template
  author: pdteam
  severity: info

@ -27,7 +27,6 @@ requests:
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
        Accept-Language: en-US,en;q=0.9
        
-    cookie-reuse: true
    matchers:
      - type: word
        words:
--- a/integration_tests/protocols/http/raw-dynamic-extractor.yaml
+++ b/integration_tests/protocols/http/raw-dynamic-extractor.yaml
@ -36,7 +36,6 @@ requests:
        regex:
          - "Token: '([A-Za-z0-9]+)'"

-    cookie-reuse: true
    matchers:
      - type: word
        words:
--- a/integration_tests/workflow/headless-1.yaml
+++ b/integration_tests/workflow/headless-1.yaml
@ -6,8 +6,7 @@ info:
  tags: headless

 headless:
-  - cookie-reuse: true
-    steps:
+    - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}/headless1"
--- a/integration_tests/workflow/http-1.yaml
+++ b/integration_tests/workflow/http-1.yaml
@ -9,4 +9,3 @@ http:
  - method: GET
    path:
      - "{{BaseURL}}/http1"
-    cookie-reuse: true
--- a/integration_tests/workflow/http-2.yaml
+++ b/integration_tests/workflow/http-2.yaml
@ -9,4 +9,3 @@ http:
  - method: GET
    path:
      - "{{BaseURL}}/http2"
-    cookie-reuse: true
--- a/integration_tests/workflow/http-3.yaml
+++ b/integration_tests/workflow/http-3.yaml
@ -9,4 +9,3 @@ http:
  - method: GET
    path:
      - "{{BaseURL}}/http3"
-    cookie-reuse: true
--- a/pkg/protocols/headless/engine/page.go
+++ b/pkg/protocols/headless/engine/page.go
@ -39,9 +39,9 @@ type HistoryData struct {

 // Options contains additional configuration options for the browser instance
 type Options struct {
-	Timeout     time.Duration
-	CookieReuse bool
-	Options     *types.Options
+	Timeout       time.Duration
+	DisableCookie bool
+	Options       *types.Options
 }

 // Run runs a list of actions by creating a new page in the browser.
@ -108,7 +108,7 @@ func (i *Instance) Run(input *contextargs.Context, actions []*Action, payloads m
 		return nil, nil, err
 	}

-	if options.CookieReuse {
+	if !options.DisableCookie {
 		if cookies := input.CookieJar.Cookies(URL); len(cookies) > 0 {
 			var NetworkCookies []*proto.NetworkCookie
 			for _, cookie := range cookies {
@ -141,9 +141,9 @@ func (i *Instance) Run(input *contextargs.Context, actions []*Action, payloads m
 		return nil, nil, err
 	}

-	if options.CookieReuse {
+	if !options.DisableCookie {
 		// at the end of actions pull out updated cookies from the browser and inject them into the shared cookie jar
-		if cookies, err := page.Cookies([]string{URL.String()}); options.CookieReuse && err == nil && len(cookies) > 0 {
+		if cookies, err := page.Cookies([]string{URL.String()}); !options.DisableCookie && err == nil && len(cookies) > 0 {
 			var httpCookies []*http.Cookie
 			for _, cookie := range cookies {
 				httpCookie := &http.Cookie{
--- a/pkg/protocols/headless/engine/rules.go
+++ b/pkg/protocols/headless/engine/rules.go
@ -37,7 +37,7 @@ func (p *Page) routingRuleHandler(ctx *rod.Hijack) {
 		}
 	}

-	if p.options.CookieReuse {
+	if !p.options.DisableCookie {
 		// each http request is performed via the native go http client
 		// we first inject the shared cookies
 		if cookies := p.input.CookieJar.Cookies(ctx.Request.URL()); len(cookies) > 0 {
@ -48,7 +48,7 @@ func (p *Page) routingRuleHandler(ctx *rod.Hijack) {
 	// perform the request
 	_ = ctx.LoadResponse(p.instance.browser.httpclient, true)

-	if p.options.CookieReuse {
+	if !p.options.DisableCookie {
 		// retrieve the updated cookies from the native http client and inject them into the shared cookie jar
 		// keeps existing one if not present
 		if cookies := p.instance.browser.httpclient.Jar.Cookies(ctx.Request.URL()); len(cookies) > 0 {
--- a/pkg/protocols/headless/headless.go
+++ b/pkg/protocols/headless/headless.go
@ -65,7 +65,12 @@ type Request struct {

 	// description: |
 	//   CookieReuse is an optional setting that enables cookie reuse
+	// Deprecated: This is default now. Use disable-cookie to disable cookie reuse. cookie-reuse will be removed in future releases.
 	CookieReuse bool `yaml:"cookie-reuse,omitempty" json:"cookie-reuse,omitempty" jsonschema:"title=optional cookie reuse enable,description=Optional setting that enables cookie reuse"`
+
+	// description: |
+	//   DisableCookie is an optional setting that disables cookie reuse
+	DisableCookie bool `yaml:"disable-cookie,omitempty" json:"disable-cookie,omitempty" jsonschema:"title=optional disable cookie reuse,description=Optional setting that disables cookie reuse"`
 }

 // RequestPartDefinitions contains a mapping of request part definitions and their
--- a/pkg/protocols/headless/request.go
+++ b/pkg/protocols/headless/request.go
@ -130,13 +130,13 @@ func (request *Request) executeRequestWithPayloads(input *contextargs.Context, p
 		return errors.Wrap(err, errCouldGetHtmlElement)
 	}
 	options := &engine.Options{
-		Timeout:     time.Duration(request.options.Options.PageTimeout) * time.Second,
-		CookieReuse: request.CookieReuse,
-		Options:     request.options.Options,
+		Timeout:       time.Duration(request.options.Options.PageTimeout) * time.Second,
+		DisableCookie: request.DisableCookie,
+		Options:       request.options.Options,
 	}

-	if options.CookieReuse && input.CookieJar == nil {
-		return errors.New("cookie-reuse set but cookie-jar is nil")
+	if !options.DisableCookie && input.CookieJar == nil {
+		return errors.New("cookie reuse enabled but cookie-jar is nil")
 	}

 	out, page, err := instance.Run(input, request.Steps, payloads, options)
--- a/pkg/protocols/http/cluster.go
+++ b/pkg/protocols/http/cluster.go
@ -16,7 +16,7 @@ func (request *Request) CanCluster(other *Request) bool {
 	}
 	if request.Method != other.Method ||
 		request.MaxRedirects != other.MaxRedirects ||
-		request.CookieReuse != other.CookieReuse ||
+		request.DisableCookie != other.DisableCookie ||
 		request.Redirects != other.Redirects {
 		return false
 	}
--- a/pkg/protocols/http/http.go
+++ b/pkg/protocols/http/http.go
@ -146,7 +146,13 @@ type Request struct {
 	// description: |
 	//   CookieReuse is an optional setting that enables cookie reuse for
 	//   all requests defined in raw section.
+	// Deprecated: This is default now. Use disable-cookie to disable cookie reuse. cookie-reuse will be removed in future releases.
 	CookieReuse bool `yaml:"cookie-reuse,omitempty" json:"cookie-reuse,omitempty" jsonschema:"title=optional cookie reuse enable,description=Optional setting that enables cookie reuse"`
+
+	// description: |
+	//   DisableCookie is an optional setting that disables cookie reuse
+	DisableCookie bool `yaml:"disable-cookie,omitempty" json:"disable-cookie,omitempty" jsonschema:"title=optional disable cookie reuse,description=Optional setting that disables cookie reuse"`
+
 	// description: |
 	//   Enables force reading of the entire raw unsafe request body ignoring
 	//   any specified content length headers.
@ -247,10 +253,10 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 	}

 	connectionConfiguration := &httpclientpool.Configuration{
-		Threads:      request.Threads,
-		MaxRedirects: request.MaxRedirects,
-		NoTimeout:    false,
-		CookieReuse:  request.CookieReuse,
+		Threads:       request.Threads,
+		MaxRedirects:  request.MaxRedirects,
+		NoTimeout:     false,
+		DisableCookie: request.DisableCookie,
 		Connection: &httpclientpool.ConnectionConfiguration{
 			DisableKeepAlive: httputil.ShouldDisableKeepAlive(options.Options),
 		},
--- a/pkg/protocols/http/httpclientpool/clientpool.go
+++ b/pkg/protocols/http/httpclientpool/clientpool.go
@ -95,8 +95,8 @@ type Configuration struct {
 	MaxRedirects int
 	// NoTimeout disables http request timeout for context based usage
 	NoTimeout bool
-	// CookieReuse enables cookie reuse for the http client (cookiejar impl)
-	CookieReuse bool
+	// DisableCookie disables cookie reuse for the http client (cookiejar impl)
+	DisableCookie bool
 	// FollowRedirects specifies the redirects flow
 	RedirectFlow RedirectFlow
 	// Connection defines custom connection configuration
@ -116,7 +116,7 @@ func (c *Configuration) Hash() string {
 	builder.WriteString("f")
 	builder.WriteString(strconv.Itoa(int(c.RedirectFlow)))
 	builder.WriteString("r")
-	builder.WriteString(strconv.FormatBool(c.CookieReuse))
+	builder.WriteString(strconv.FormatBool(c.DisableCookie))
 	builder.WriteString("c")
 	builder.WriteString(strconv.FormatBool(c.Connection != nil))
 	hash := builder.String()
@ -125,7 +125,7 @@ func (c *Configuration) Hash() string {

 // HasStandardOptions checks whether the configuration requires custom settings
 func (c *Configuration) HasStandardOptions() bool {
-	return c.Threads == 0 && c.MaxRedirects == 0 && c.RedirectFlow == DontFollowRedirect && !c.CookieReuse && c.Connection == nil && !c.NoTimeout
+	return c.Threads == 0 && c.MaxRedirects == 0 && c.RedirectFlow == DontFollowRedirect && c.DisableCookie && c.Connection == nil && !c.NoTimeout
 }

 // GetRawHTTP returns the rawhttp request client
@ -277,7 +277,7 @@ func wrappedGet(options *types.Options, configuration *Configuration) (*retryabl
 	var jar *cookiejar.Jar
 	if configuration.Connection != nil && configuration.Connection.HasCookieJar() {
 		jar = configuration.Connection.GetCookieJar()
-	} else if configuration.CookieReuse {
+	} else if !configuration.DisableCookie {
 		if jar, err = cookiejar.New(&cookiejar.Options{PublicSuffixList: publicsuffix.List}); err != nil {
 			return nil, errors.Wrap(err, "could not create cookiejar")
 		}
--- a/pkg/templates/cluster.go
+++ b/pkg/templates/cluster.go
@ -32,7 +32,7 @@ import (
 //
 // Cases where clustering is not performed (request is considered different)
 //   - If request contains payloads,raw,body,unsafe,req-condition,name attributes
-//   - If request methods,max-redirects,cookie-reuse,redirects are not equal
+//   - If request methods,max-redirects,disable-cookie,redirects are not equal
 //   - If request paths aren't identical.
 //   - If request headers aren't identical
 //   - Similarly for DNS, only identical DNS requests are clustered to a target.
--- a/pkg/testutils/integration.go
+++ b/pkg/testutils/integration.go
@ -144,7 +144,7 @@ func RunNucleiArgsWithEnvAndGetResults(debug bool, env []string, extra ...string
 	cmd.Env = append(os.Environ(), env...)
 	cmd.Args = append(cmd.Args, extra...)
 	cmd.Args = append(cmd.Args, "-duc") // disable auto updates
-	cmd.Args = append(cmd.Args, "-interactions-poll-duration", "1")
+	cmd.Args = append(cmd.Args, "-interactions-poll-duration", "5")
 	cmd.Args = append(cmd.Args, "-interactions-cooldown-period", "10")
 	cmd.Args = append(cmd.Args, "-allow-local-file-access")
 	if debug {