Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8179393

Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive

XMLWordPrintable

    • x86_64
    • windows_7

      FULL PRODUCT VERSION :
      java version "1.8.0_121"
      Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601]

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Internet Explorer version 11.0.9600.18617

      A DESCRIPTION OF THE PROBLEM :
      The fix for JDK-7077220 allows Java Applets to read and use HttpOnly cookies when using Internet Explorer.

      The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.

      https://tools.ietf.org/html/rfc6265#section-5.2.6

      As such Java Applets can see this cookie:

      Set-Cookie: test=test; HttpOnly

      But cannot set this cookie:

      Set-Cookie: test=test; HTTPOnly


      This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Run Test Java Applet in IE
      2. Click Test button

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Expected output (in the text box next to the "Test" button):

          put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
          got: {Cookie=[FOO=BAR, ABC=XYZ]}
      ACTUAL -
      Actual output:

          put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
          got: {Cookie=[ABC=XYZ]}

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":



      public class CookieTest extends JApplet {

          private JTextArea textArea;

          @Override
          public void init() {
              try {
                  SwingUtilities.invokeAndWait(new Runnable() {
                      @Override public void run() {
                          setLayout(new BorderLayout());

                          JButton button = new JButton("Test");
                          button.addActionListener(new ActionListener() {
                              @Override public void actionPerformed(ActionEvent e) {
                                  test();
                              }
                          });
                          add(button, BorderLayout.NORTH);

                          textArea = new JTextArea();
                          add(textArea, BorderLayout.CENTER);
                      }
                  });
              } catch (Exception e) {
                  System.err.println("createGUI didn't complete successfully");
              }
          }

          private void test() {
              try {
                  CookieHandler handler = CookieHandler.getDefault();

                  URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
                  
                  Map<String, List<String>> headers =
                          new HashMap<String, List<String>>();
                  headers.put("Set-Cookie", Arrays.asList(
                          "FOO=BAR;HTTPOnly","ABC=XYZ"));
                  
                  handler.put(uri, headers);
                  textArea.append("put: " + headers + "\n");

                  headers = handler.get(uri, new HashMap<String, List<String>>());
                  textArea.append("got: " + headers + "\n");
              } catch (Exception ex) {
                  textArea.setText("Error, consult Java console for more info");
                  ex.printStackTrace(System.err);
              }
          }
      }
      ---------- END SOURCE ----------

        1. CookieScreenshot.png
          6 kB
          Priyanka Mangal

            pmangal Priyanka Mangal (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: