Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

#46 Add cookie management commands#47

Open
simbo1905 wants to merge 1 commit into
simonw:main from
simbo1905:simbo1905
Open

#46 Add cookie management commands #47
simbo1905 wants to merge 1 commit into
simonw:main from
simbo1905:simbo1905

Conversation

@simbo1905

@simbo1905 simbo1905 commented Mar 19, 2026

Copy link
Copy Markdown

Closes #46

This adds first-class cookie management commands to Rodney. See the issue for the full command and behavior spec.

Help output

rodney cookie set <name> <value> --domain <domain> [--path <path>] [--secure] [--http-only] [--same-site <mode>]
 Set a browser cookie for a domain
rodney cookie list List cookies for the current page URL
rodney cookie get <name> Print a cookie value for the current page URL
rodney cookie delete <name> --domain <domain> [--path <path>]
 Delete a browser cookie by domain/path

Tests

Test Purpose
TestParseCookieSetArgs_Minimal verifies minimal parsing for cookie set
TestParseCookieSetArgs_WithOptionalFlags verifies parsing of optional set flags
TestParseCookieSetArgs_RequiresDomain verifies --domain is required for set
TestSetCookie_SetsCookieForDomain verifies a cookie can be set for a domain
TestSetCookie_AppliesOptionalAttributes verifies optional cookie attributes are applied
TestParseCookieDeleteArgs_Minimal verifies minimal parsing for cookie delete
TestParseCookieDeleteArgs_RequiresDomain verifies --domain is required for delete
TestListCookies_ReturnsCurrentPageCookies verifies cookie list returns cookies for the current page
TestGetCookie_ReturnsMatchingCookie verifies cookie get returns the expected value
TestGetCookie_ReturnsNilWhenMissing verifies missing cookie lookup behavior
TestDeleteCookie_RemovesCookie verifies cookie deletion
TestFormatCookieList_SortsByName verifies stable sorted list output

Notes

This feature was built using a red/green TDD workflow.

It has also been exercised in a real project against a major SaaS platform, without relying on any platform-specific code or tests in this change.

Comment thread main.go
Comment on lines +83 to +88
DebugURL string `json:"debug_url"`
ChromePID int `json:"chrome_pid"`
ActivePage int `json:"active_page"` // index into pages list
DataDir string `json:"data_dir"`
ProxyPID int `json:"proxy_pid,omitempty"` // PID of auth proxy helper
ProxyPort int `json:"proxy_port,omitempty"` // local port of auth proxy

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: These whitespace-only alignment changes (here, the .Leakless comment at line 387, the queryAXNodes field at line 1929, and the TestAssert_ValueFormatting table at line 1180 in the test file) are unrelated to the cookie feature and make the diff harder to review. They can also cause unnecessary merge conflicts if other PRs touch these lines. Consider dropping these or splitting them into a separate formatting PR.

Comment thread main.go
Comment on lines +1164 to +1171
cookie, err := getCookie(page, opts.Name)
if err != nil {
fatal("failed to check cookie: %v", err)
}
if cookie == nil || cookie.Domain != opts.Domain || cookie.Path != opts.Path {
fmt.Fprintf(os.Stderr, "cookie not found: %s\n", opts.Name)
os.Exit(1)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pre-check may give false "not found" results. getCookie calls listCookies, which filters cookies by the current page URL. If the cookie's domain doesn't match the page the user currently has open, listCookies won't return it — even though NetworkDeleteCookies could still delete it by name+domain+path.

Consider either:

  1. Removing the pre-check and just calling deleteCookie directly (the CDP call is idempotent — deleting a non-existent cookie is a no-op), or
  2. Documenting that the current page must match the cookie's domain for delete to work.

Comment thread main.go
Comment on lines +1075 to +1082
type cookieSetOptions struct {
Name string
Value string
Domain string
Path string
Secure bool
HTTPOnly bool
SameSite proto.NetworkCookieSameSite

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker, but worth noting: there's no Expires or MaxAge field here, so cookie set can only create session cookies. Expiry is a very common need (e.g., setting a persistent auth cookie). Consider tracking --expires / --max-age support as a follow-up issue.

Comment thread main.go
return sb.String()
}

func findCookie(cookies []*proto.NetworkCookie, name string) *proto.NetworkCookie {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

findCookie returns the first match by name. If two cookies share the same name but differ by domain (e.g., session on example.com and session on sub.example.com), cookie get will return whichever appears first — which may not be what the user expects.

Consider accepting an optional --domain filter on cookie get, or at minimum documenting this limitation.

Comment thread main_test.go
}

func TestParseCookieSetArgs_WithOptionalFlags(t *testing.T) {
opts, err := parseCookieSetArgs([]string{"session", "abc123", "--domain", "example.com", "--path", "/app", "--secure", "--http-only", "--same-site", "strict"})

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test only covers the space-separated form --same-site strict. The parsing code also supports --same-site=strict (equals form). Consider adding a test case for the = variant to prevent regressions in that code path.

alex-pezarro-portswigger added a commit to alex-pezarro-portswigger/rodney that referenced this pull request Apr 20, 2026 
- Revert whitespace-only alignment changes in State struct, Leakless
 comment, AccessibilityQueryAXTree field, and TestAssert_ValueFormatting
 table to keep the diff focused on cookies.
- Drop the cookie delete pre-check. NetworkDeleteCookies is idempotent,
 and the old pre-check via getCookie/listCookies filtered by the
 current page URL, so it gave false 'not found' results when the
 cookie's domain didn't match the current page.
- Add optional --domain filter to 'cookie get' so duplicate cookie
 names on different domains can be disambiguated; add parser tests
 and a findCookie filter test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jstockdi jstockdi jstockdi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add cookie management commands to Rodney (PR inbound)

AltStyle によって変換されたページ (->オリジナル) /