-
Bug
-
Resolution: Fixed
-
P3
-
11.0.14, 11.0.14-oracle, 12, 17, 18
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8278001 | 17.0.3-oracle | Evan Whelan | P3 | Resolved | Fixed | b01 |
JDK-8277779 | 17.0.2 | Evan Whelan | P3 | Resolved | Fixed | b07 |
JDK-8277780 | 11.0.15-oracle | Evan Whelan | P3 | Resolved | Fixed | b01 |
JDK-8277107 | 11.0.14-oracle | Evan Whelan | P3 | Resolved | Fixed | b07 |
JDK-8278155 | 11.0.14 | Martin Doerr | P3 | Resolved | Fixed | b06 |
An HTTP client gets a cookie back from a backend, which is stored in the CookieHandler. At the next request, the cookie is correctly added to the HttpRequest through the CookieFilter, but in case a user header "Cookie" was added to the request before, then the cookie added by the CookieFilter will be filtered out and not sent to the backend. This is typically the case with session cookies.
I think that the problem lies in the method jdk.internal.net.http.Http1Request.collectHeaders0(StringBuilder): see comment of line 111: "Filter any headers from systemHeaders that are set in userHeaders". The line 127 "collectCookie(...)" uses the filtered systemHeaders so any cookie set by the CookieFilter in the systemHeaders is filtered out in case the userHeaders contains some Cookie.
I suppose that the problem is similar with HTTP/2 as the same filter is used in jdk.internal.net.http.Stream.headerFrame(long) at line 657, but I did not test it.
REGRESSION : Last worked in version 11.0.13
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Client sends an HTTP/1.1 request to Backend
2. Backend send a response with a Set-Cookie: mycookie=1
3. The cookie mycookie is stored in the CookieHandler from Client
4. Client creates another request to Backend, adds header "Cookie: anotherone=2" and sens the request
5. CookieFilter adds the mycookie from the CookieHandler to the systemHeaders of the request
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
6. Http1Request.collectHeaders0 merges the Cookie from systemHeaders with the Cookie from userHeaders
7. Backend gets "Cookie: mycookie=1; anotherone=2"
ACTUAL -
6. Http1Request.collectHeaders0 filters out the Cookie from systemHeaders
7. Backend gets only "Cookie: anotherone=2"
CUSTOMER SUBMITTED WORKAROUND :
Manage the cookies at application level instead of using CookieHandler: this is not trivial and implies several changes in code of the applications.
FREQUENCY : always
- backported by
-
JDK-8277107 Cookie stored in CookieHandler not sent if user headers contain cookie
- Resolved
-
JDK-8277779 Cookie stored in CookieHandler not sent if user headers contain cookie
- Resolved
-
JDK-8277780 Cookie stored in CookieHandler not sent if user headers contain cookie
- Resolved
-
JDK-8278001 Cookie stored in CookieHandler not sent if user headers contain cookie
- Resolved
-
JDK-8278155 Cookie stored in CookieHandler not sent if user headers contain cookie
- Resolved
- relates to
-
JDK-8213189 Make restricted headers in HTTP Client configurable and remove Date by default
- Resolved
- links to
-
Commit openjdk/jdk11u/8fe5d595
-
Commit openjdk/jdk17u/670d73ef
-
Commit openjdk/jdk/03debf27
-
Review openjdk/jdk11u/18
-
Review openjdk/jdk17u/300
-
Review openjdk/jdk/6408