-
Bug
-
Resolution: Fixed
-
P3
-
8u151, 9
-
b01
-
x86_64
-
windows_7
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8212344 | 8u202 | Andy Herrick | P3 | Resolved | Fixed | b01 |
JDK-8207650 | 8u192 | Andy Herrick | P3 | Resolved | Fixed | b02 |
JDK-8202217 | 8u181 | Andy Herrick | P3 | Resolved | Fixed | b04 |
JDK-8211571 | emb-8u191 | Andy Herrick | P3 | Resolved | Fixed | master |
JDK-8203074 | emb-8u181 | Andy Herrick | P3 | Resolved | Fixed | b04 |
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer version 11.0.9600.18617
A DESCRIPTION OF THE PROBLEM :
I'm resubmitting
The fix for
The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.6
As such Java Applets can see this cookie:
Set-Cookie: test=test; HttpOnly
But cannot set this cookie:
Set-Cookie: test=test; HTTPOnly
This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.
This problem requires running the applet in Internet Explorer, not the appletviewer as the applet uses IE's cookie management. Switching to using the Java's cookie managerment is not an option because the login page is displayed outside of the applet. I realize applets are going to be deprecated, but they are still currently being supported so this should still work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Run Test Java Applet in IE
2. Click Test button
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected output (in the text box next to the "Test" button):
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[FOO=BAR, ABC=XYZ]}
ACTUAL -
Actual output:
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[ABC=XYZ]}
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":
public class CookieTest extends JApplet {
private JTextArea textArea;
@Override
public void init() {
try {
SwingUtilities.invokeAndWait(new Runnable() {
@Override public void run() {
setLayout(new BorderLayout());
JButton button = new JButton("Test");
button.addActionListener(new ActionListener() {
@Override public void actionPerformed(ActionEvent e) {
test();
}
});
add(button, BorderLayout.NORTH);
textArea = new JTextArea();
add(textArea, BorderLayout.CENTER);
}
});
} catch (Exception e) {
System.err.println("createGUI didn't complete successfully");
}
}
private void test() {
try {
CookieHandler handler = CookieHandler.getDefault();
URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
Map<String, List<String>> headers =
new HashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList(
"FOO=BAR;HTTPOnly","ABC=XYZ"));
handler.put(uri, headers);
textArea.append("put: " + headers + "\n");
headers = handler.get(uri, new HashMap<String, List<String>>());
textArea.append("got: " + headers + "\n");
} catch (Exception ex) {
textArea.setText("Error, consult Java console for more info");
ex.printStackTrace(System.err);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
There is no possible work around other than to disable HttpOnly cookies.
- backported by
-
JDK-8202217 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
- Resolved
-
JDK-8203074 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
- Resolved
-
JDK-8207650 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
- Resolved
-
JDK-8211571 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
- Resolved
-
JDK-8212344 Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
- Resolved
- duplicates
-
JDK-8193348 All but first cookie sent from server are ignored by JWS client
- Closed
- relates to
-
JDK-8193348 All but first cookie sent from server are ignored by JWS client
- Closed