Node-Red HTTP Request and session cookies



I'm trying to control my alarm system (Somfy protexiom 800) from Node-Red.
My starting point was a shell script by jcjames_13009 (located here: which mainly uses curl.

I recreated the login part in Node-Red, my login is successful and I'm getting a session cookie which is used as authentication for the rest of the session.
It originally comes in "msg.responseCookies" and looks like this:

Whenever I try to access the interface of the alarm system, I always get an error page saying 'there's already a session open, try again later'.

I know that my session cookie is OK because:

  • I can reuse it from firefox by editing the cookie manually, using the sessionID received in Node-Red.
    The firefox cookie looks like this:
    "name": "sid",
    "value": "1234",
    "domain": "myalarm",
    "hostOnly": true,
    "path": "/",
    "secure": false,
    "httpOnly": true,
    "sameSite": "no_restriction",
    "session": true,
    "firstPartyDomain": "",
    "storeId": "firefox-default",
    "origin": "http://myalarm"
  • I'm also able to get into the session from another PC, using curl and a forged cookie file, again reusing the same sessionID:
    The curl cookie file looks like this:
# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.

myalarm   FALSE   /       FALSE   0       sid     1234

I can't understand why those 2 methods work fine and I can't manage it in Node-Red.

Here's the data I tried passing from a function node to an http request node (GET):

var sid_cookie = {"sid":{"path":"/","value":"1234"}}
msg.cookies = {sid_cookie};
> msg.headers = {};
> msg.headers["cookie"] = sid_cookie;
> msg.cookies = "sid=" + sid_cookie.sid.value

then I tried using similar headers as what curl is sending:

> msg.headers = {};
> msg.headers["cookie"] = "sid=" + sid_cookie.sid.value;
> msg.headers["Accept"] = "*/*";
> msg.headers["User-Agent"] = "curl/7.58.0";
> msg.headers["host"] = "myalarm";
> msg.headers["Referer"] = "http://myalarm" ; //also tried this
> msg.headers["connection"] = "close"; //also tried this because curl send it
> msg.cookies = "sid=" + sid_cookie.sid.value

None of those work, although the cookie is passed properly as far as I can see.
but there must be a difference between the firefox / curl and Node-Red protocol

Thinking that I'm missing some context information, I redirected my curl http request, as well as my Node-Red http request node to an 'http in' node to view both outputs, but I can't see any meaningful differences... (msgid, and header["host"] values)

Has anyone have an idea on how to to this properly, or at least how to troubleshoot this kind of issue ?


Ok, I figured it out,

When using msg.cookie or any variation of this, the msg property 'cookie' is always set to lowercase.
I tried forcing it uppcase but it goes back to lowercase when the message is generated.

So all my subsequent tries using headers were made with 'cookie' as well, as I thought it did not matter.

I used tcpdump to track any differences between the network traffic generated by curl and Node-Red and the only difference was that curl did send the 'Cookie' parameter with an uppercase 'C'.

So I used the following notation in Node-Red:

msg.headers = {
    Cookie : "sid=" + sid_cookie.sid.value,
    Accept : "*/*",
    "User-Agent" : "curl/7.58.0",
    Host : "alarmesomfy",
    connection : "close"

And that did the trick.