Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276774

Cookie stored in CookieHandler not sent if user headers contain cookie

    XMLWordPrintable

    Details

    • Subcomponent:
    • Introduced In Build:
      b20
    • Introduced In Version:
      12
    • Resolved In Build:
      b25
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        A DESCRIPTION OF THE PROBLEM :
        An HTTP client gets a cookie back from a backend, which is stored in the CookieHandler. At the next request, the cookie is correctly added to the HttpRequest through the CookieFilter, but in case a user header "Cookie" was added to the request before, then the cookie added by the CookieFilter will be filtered out and not sent to the backend. This is typically the case with session cookies.

        I think that the problem lies in the method jdk.internal.net.http.Http1Request.collectHeaders0(StringBuilder): see comment of line 111: "Filter any headers from systemHeaders that are set in userHeaders". The line 127 "collectCookie(...)" uses the filtered systemHeaders so any cookie set by the CookieFilter in the systemHeaders is filtered out in case the userHeaders contains some Cookie.

        I suppose that the problem is similar with HTTP/2 as the same filter is used in jdk.internal.net.http.Stream.headerFrame(long) at line 657, but I did not test it.

        REGRESSION : Last worked in version 11.0.13

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Client sends an HTTP/1.1 request to Backend
        2. Backend send a response with a Set-Cookie: mycookie=1
        3. The cookie mycookie is stored in the CookieHandler from Client
        4. Client creates another request to Backend, adds header "Cookie: anotherone=2" and sens the request
        5. CookieFilter adds the mycookie from the CookieHandler to the systemHeaders of the request


        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        6. Http1Request.collectHeaders0 merges the Cookie from systemHeaders with the Cookie from userHeaders
        7. Backend gets "Cookie: mycookie=1; anotherone=2"
        ACTUAL -
        6. Http1Request.collectHeaders0 filters out the Cookie from systemHeaders
        7. Backend gets only "Cookie: anotherone=2"

        CUSTOMER SUBMITTED WORKAROUND :
        Manage the cookies at application level instead of using CookieHandler: this is not trivial and implies several changes in code of the applications.

        FREQUENCY : always


          Attachments

            Issue Links

              Activity

                People

                Assignee:
                dfuchs Daniel Fuchs
                Reporter:
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: