Details
-
Bug
-
Resolution: Fixed
-
P3
-
8u151, 9
-
b01
-
x86_64
-
windows_7
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8212344 | 8u202 | Andy Herrick | P3 | Resolved | Fixed | b01 |
| JDK-8207650 | 8u192 | Andy Herrick | P3 | Resolved | Fixed | b02 |
| JDK-8202217 | 8u181 | Andy Herrick | P3 | Resolved | Fixed | b04 |
| JDK-8211571 | emb-8u191 | Andy Herrick | P3 | Resolved | Fixed | master |
| JDK-8203074 | emb-8u181 | Andy Herrick | P3 | Resolved | Fixed | b04 |
Description
FULL PRODUCT VERSION :
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer version 11.0.9600.18617
A DESCRIPTION OF THE PROBLEM :
I'm resubmittingJDK-8179393 because it was improperly closed despite me responding to the request for more information. This is now resulting in a major business impact which has raised this issue to a very high priority.
The fix forJDK-7077220 allows Java Applets to read and use HttpOnly cookies when using Internet Explorer 11.
The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.6
As such Java Applets can see this cookie:
Set-Cookie: test=test; HttpOnly
But cannot set this cookie:
Set-Cookie: test=test; HTTPOnly
This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.
This problem requires running the applet in Internet Explorer, not the appletviewer as the applet uses IE's cookie management. Switching to using the Java's cookie managerment is not an option because the login page is displayed outside of the applet. I realize applets are going to be deprecated, but they are still currently being supported so this should still work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Run Test Java Applet in IE
2. Click Test button
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected output (in the text box next to the "Test" button):
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[FOO=BAR, ABC=XYZ]}
ACTUAL -
Actual output:
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[ABC=XYZ]}
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":
public class CookieTest extends JApplet {
private JTextArea textArea;
@Override
public void init() {
try {
SwingUtilities.invokeAndWait(new Runnable() {
@Override public void run() {
setLayout(new BorderLayout());
JButton button = new JButton("Test");
button.addActionListener(new ActionListener() {
@Override public void actionPerformed(ActionEvent e) {
test();
}
});
add(button, BorderLayout.NORTH);
textArea = new JTextArea();
add(textArea, BorderLayout.CENTER);
}
});
} catch (Exception e) {
System.err.println("createGUI didn't complete successfully");
}
}
private void test() {
try {
CookieHandler handler = CookieHandler.getDefault();
URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
Map<String, List<String>> headers =
new HashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList(
"FOO=BAR;HTTPOnly","ABC=XYZ"));
handler.put(uri, headers);
textArea.append("put: " + headers + "\n");
headers = handler.get(uri, new HashMap<String, List<String>>());
textArea.append("got: " + headers + "\n");
} catch (Exception ex) {
textArea.setText("Error, consult Java console for more info");
ex.printStackTrace(System.err);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
There is no possible work around other than to disable HttpOnly cookies.
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer version 11.0.9600.18617
A DESCRIPTION OF THE PROBLEM :
I'm resubmitting
The fix for
The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.6
As such Java Applets can see this cookie:
Set-Cookie: test=test; HttpOnly
But cannot set this cookie:
Set-Cookie: test=test; HTTPOnly
This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.
This problem requires running the applet in Internet Explorer, not the appletviewer as the applet uses IE's cookie management. Switching to using the Java's cookie managerment is not an option because the login page is displayed outside of the applet. I realize applets are going to be deprecated, but they are still currently being supported so this should still work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Run Test Java Applet in IE
2. Click Test button
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected output (in the text box next to the "Test" button):
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[FOO=BAR, ABC=XYZ]}
ACTUAL -
Actual output:
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[ABC=XYZ]}
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":
public class CookieTest extends JApplet {
private JTextArea textArea;
@Override
public void init() {
try {
SwingUtilities.invokeAndWait(new Runnable() {
@Override public void run() {
setLayout(new BorderLayout());
JButton button = new JButton("Test");
button.addActionListener(new ActionListener() {
@Override public void actionPerformed(ActionEvent e) {
test();
}
});
add(button, BorderLayout.NORTH);
textArea = new JTextArea();
add(textArea, BorderLayout.CENTER);
}
});
} catch (Exception e) {
System.err.println("createGUI didn't complete successfully");
}
}
private void test() {
try {
CookieHandler handler = CookieHandler.getDefault();
URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
Map<String, List<String>> headers =
new HashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList(
"FOO=BAR;HTTPOnly","ABC=XYZ"));
handler.put(uri, headers);
textArea.append("put: " + headers + "\n");
headers = handler.get(uri, new HashMap<String, List<String>>());
textArea.append("got: " + headers + "\n");
} catch (Exception ex) {
textArea.setText("Error, consult Java console for more info");
ex.printStackTrace(System.err);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
There is no possible work around other than to disable HttpOnly cookies.
Attachments
Issue Links
- backported by
-
JDK-8202217 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-
(1 duplicates, 1 relates to)