Summary
The HttpCookie.parse() method is changed to correctly parse when both a Max-Age and Expires attribute are present
Problem
The HttpCookie.parse() method incorrectly forces any cookie containing an "expires" attribute to be parsed using Netscape cookie rules (version 0), even when the cookie explicitly contains "max-age" attribute as specified in RFC 2109/2965.
Solution
Make the parse method behave as specified in RFC 6265 and clarify the apidoc for getMaxAge() and hasExpired() to explain this. Add a reference to RFC 6265 in the class level docs.
Specification
Change the HttpCookie class level docs as below:
* <i>http://www.ietf.org/rfc/rfc2109.txt</i></a><br>
* RFC 2965 - <a href="http://www.ietf.org/rfc/rfc2965.txt">
* <i>http://www.ietf.org/rfc/rfc2965.txt</i></a>
* </blockquote>
*
- * <p> HttpCookie class can accept all these 3 forms of syntax.
+ * <p> HttpCookie class can accept all these 3 forms of syntax. This class also provides
+ * partial support for RFC 6265.
*
* @spec https://www.rfc-editor.org/info/rfc2109 RFC 2109: HTTP State Management Mechanism
* @spec https://www.rfc-editor.org/info/rfc2965 RFC 2965: HTTP State Management Mechanism
+ * @spec https://www.rfc-editor.org/info/rfc6265 RFC 6265: HTTP State Management Mechanism
* @author Edward Wang
* @since 1.6
*/
public final class HttpCookie implements Cloneable {
Change the hasExpired() method as below
/**
- * Reports whether this HTTP cookie has expired or not.
+ * Reports whether this HTTP cookie has expired or not. This is
+ * based on whether {@link #getMaxAge()} seconds have elapsed since
+ * this object was created.
*
* @return {@code true} to indicate this HTTP cookie has expired;
* otherwise, {@code false}
*/
public boolean hasExpired() {}
Change the getMaxAge() method as below:
/**
- * Returns the maximum age of the cookie, specified in seconds. By default,
- * {@code -1} indicating the cookie will persist until browser shutdown.
+ * Returns the maximum age of the cookie, specified in seconds from the time
+ * the object was created. By default, {@code -1} indicating the cookie will
+ * persist until browser shutdown.
+ *
+ * The value of this attribute is determined by the following steps, in line
+ * with RFC 6265:
+ *
+ * <ol><li>If {@link #setMaxAge(long)} was called, return the value set.</li>
+ * <li>If previous step failed, and a {@code Max-Age} attribute was parsed
+ * then return that value.</li>
+ * <li>If previous step failed, and an {@code Expires} attribute was parsed
+ * then the maxAge calculated at parsing time from that date, is returned</li>
+ * <li>If previous step failed, then return {@code -1}.</li></ol>
*
* @return an integer specifying the maximum age of the cookie in seconds
*
* @see #setMaxAge
*/
public long getMaxAge() {}
- csr of
-
JDK-8351983 HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute
-
- Resolved
-