autologin with redirect and new cookie doesn't work

Created by: lukaszbudnik

Hi,

I cannot get autologin to work with successful HTTP 303 See Other + Set-Cookie respone.

I'm running arachni with these parameters:

--plugin=autologin:url=https://XXXX/login,parameters="username=XXXX&password=XXX&",check=""

When running in debug set to 3 I see that the webapplication authentication works fine.

I start with url https:/XXX. Webapp detects that arachni is not authenticated, adds C1 cookie and redirects arachni to /login page.

Arachni submits C1 cookie together with the autologin POST request:

POST /login HTTP/1.1
...
Cookie: C1=XXXX
....
[!!!] Client: Status: 303
[!!!] Client: URL: XXX
[!!!] Client: Headers:
HTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, must-revalidate
Date: Tue, 01 Dec 2015 13:37:02 GMT
Expires: 0
Location: /
Pragma: no-cache
Set-Cookie: C2=XXXX; Path=/; Secure; HTTPOnly
Set-Cookie: C3=XXXX; Path=/; Secure; HTTPOnly
Set-Cookie: C4=XXXX; Path=/; Secure; HTTPOnly

Webapp authenticated the POST, returns 303 and sets additional C2, C3, and C4 cookies.

In the console output I see that AutoLogin plugin set C1, but didn't include C2, C3, and C4 cookies:

 [~] AutoLogin: System paused.
 [+] AutoLogin: Form submitted successfully.
 [~] AutoLogin: Cookies set to:
 [~] AutoLogin:     * "C1" = "XXX"

And I think this is causing my issues. Arachni cannot crawl any more pages as C2, C3, and C4 cookies are not set.

Is this arachni limitation, is there a work around for it?

thanks, Łukasz