Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276774

Cookie stored in CookieHandler not sent if user headers contain cookie

XMLWordPrintable

    • b20
    • 12
    • b25
    • generic
    • generic
    • Verified

        A DESCRIPTION OF THE PROBLEM :
        An HTTP client gets a cookie back from a backend, which is stored in the CookieHandler. At the next request, the cookie is correctly added to the HttpRequest through the CookieFilter, but in case a user header "Cookie" was added to the request before, then the cookie added by the CookieFilter will be filtered out and not sent to the backend. This is typically the case with session cookies.

        I think that the problem lies in the method jdk.internal.net.http.Http1Request.collectHeaders0(StringBuilder): see comment of line 111: "Filter any headers from systemHeaders that are set in userHeaders". The line 127 "collectCookie(...)" uses the filtered systemHeaders so any cookie set by the CookieFilter in the systemHeaders is filtered out in case the userHeaders contains some Cookie.

        I suppose that the problem is similar with HTTP/2 as the same filter is used in jdk.internal.net.http.Stream.headerFrame(long) at line 657, but I did not test it.

        REGRESSION : Last worked in version 11.0.13

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Client sends an HTTP/1.1 request to Backend
        2. Backend send a response with a Set-Cookie: mycookie=1
        3. The cookie mycookie is stored in the CookieHandler from Client
        4. Client creates another request to Backend, adds header "Cookie: anotherone=2" and sens the request
        5. CookieFilter adds the mycookie from the CookieHandler to the systemHeaders of the request


        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        6. Http1Request.collectHeaders0 merges the Cookie from systemHeaders with the Cookie from userHeaders
        7. Backend gets "Cookie: mycookie=1; anotherone=2"
        ACTUAL -
        6. Http1Request.collectHeaders0 filters out the Cookie from systemHeaders
        7. Backend gets only "Cookie: anotherone=2"

        CUSTOMER SUBMITTED WORKAROUND :
        Manage the cookies at application level instead of using CookieHandler: this is not trivial and implies several changes in code of the applications.

        FREQUENCY : always


              dfuchs Daniel Fuchs
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: