Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8190689

Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive

XMLWordPrintable

    • b01
    • x86_64
    • windows_7

        FULL PRODUCT VERSION :
        java version "1.8.0_151"
        Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
        Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.1.7601]


        EXTRA RELEVANT SYSTEM CONFIGURATION :
        Internet Explorer version 11.0.9600.18617

        A DESCRIPTION OF THE PROBLEM :
        I'm resubmitting JDK-8179393 because it was improperly closed despite me responding to the request for more information. This is now resulting in a major business impact which has raised this issue to a very high priority.

        The fix for JDK-7077220 allows Java Applets to read and use HttpOnly cookies when using Internet Explorer 11.

        The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.

        https://tools.ietf.org/html/rfc6265#section-5.2.6

        As such Java Applets can see this cookie:

        Set-Cookie: test=test; HttpOnly

        But cannot set this cookie:

        Set-Cookie: test=test; HTTPOnly


        This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.

        This problem requires running the applet in Internet Explorer, not the appletviewer as the applet uses IE's cookie management. Switching to using the Java's cookie managerment is not an option because the login page is displayed outside of the applet. I realize applets are going to be deprecated, but they are still currently being supported so this should still work.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Run Test Java Applet in IE
        2. Click Test button

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Expected output (in the text box next to the "Test" button):

            put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
            got: {Cookie=[FOO=BAR, ABC=XYZ]}
        ACTUAL -
        Actual output:

            put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
            got: {Cookie=[ABC=XYZ]}

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":



        public class CookieTest extends JApplet {

            private JTextArea textArea;

            @Override
            public void init() {
                try {
                    SwingUtilities.invokeAndWait(new Runnable() {
                        @Override public void run() {
                            setLayout(new BorderLayout());

                            JButton button = new JButton("Test");
                            button.addActionListener(new ActionListener() {
                                @Override public void actionPerformed(ActionEvent e) {
                                    test();
                                }
                            });
                            add(button, BorderLayout.NORTH);

                            textArea = new JTextArea();
                            add(textArea, BorderLayout.CENTER);
                        }
                    });
                } catch (Exception e) {
                    System.err.println("createGUI didn't complete successfully");
                }
            }

            private void test() {
                try {
                    CookieHandler handler = CookieHandler.getDefault();

                    URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
                    
                    Map<String, List<String>> headers =
                            new HashMap<String, List<String>>();
                    headers.put("Set-Cookie", Arrays.asList(
                            "FOO=BAR;HTTPOnly","ABC=XYZ"));
                    
                    handler.put(uri, headers);
                    textArea.append("put: " + headers + "\n");

                    headers = handler.get(uri, new HashMap<String, List<String>>());
                    textArea.append("got: " + headers + "\n");
                } catch (Exception ex) {
                    textArea.setText("Error, consult Java console for more info");
                    ex.printStackTrace(System.err);
                }
            }
        }
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        There is no possible work around other than to disable HttpOnly cookies.

              herrick Andy Herrick (Inactive)
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: