Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8359343

HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 26
    • core-libs
    • None
    • behavioral
    • low
    • More compatible with expected behavior. It's also likely an uncommon scenario with expires and max-age set with differing values.
    • Java API
    • SE

      Summary

      The HttpCookie.parse() method is changed to correctly parse when both a Max-Age and Expires attribute are present

      Problem

      The HttpCookie.parse() method incorrectly forces any cookie containing an "expires" attribute to be parsed using Netscape cookie rules (version 0), even when the cookie explicitly contains "max-age" attribute as specified in RFC 2109/2965.

      Solution

      Make the parse method behave as specified in RFC 6265 and clarify the apidoc for getMaxAge() and hasExpired() to explain this. Add a reference to RFC 6265 in the class level docs.

      Specification

      Change the HttpCookie class level docs as below:

        * <i>http://www.ietf.org/rfc/rfc2109.txt</i></a><br>
        *   RFC 2965 - <a href="http://www.ietf.org/rfc/rfc2965.txt">
        * <i>http://www.ietf.org/rfc/rfc2965.txt</i></a>
        * </blockquote>
        *
      - * <p> HttpCookie class can accept all these 3 forms of syntax.
      + * <p> HttpCookie class can accept all these 3 forms of syntax. This class also provides
      + * partial support for RFC 6265.
        *
        * @spec https://www.rfc-editor.org/info/rfc2109 RFC 2109: HTTP State Management Mechanism
        * @spec https://www.rfc-editor.org/info/rfc2965 RFC 2965: HTTP State Management Mechanism
      + * @spec https://www.rfc-editor.org/info/rfc6265 RFC 6265: HTTP State Management Mechanism
        * @author Edward Wang
        * @since 1.6
        */
       public final class HttpCookie implements Cloneable {
      

      Change the hasExpired() method as below

           /**
      -     * Reports whether this HTTP cookie has expired or not.
      +     * Reports whether this HTTP cookie has expired or not. This is
      +     * based on whether {@link #getMaxAge()} seconds have elapsed since
      +     * this object was created.
            *
            * @return  {@code true} to indicate this HTTP cookie has expired;
            *          otherwise, {@code false}
            */
           public boolean hasExpired() {}
      

      Change the getMaxAge() method as below:

           /**
      -     * Returns the maximum age of the cookie, specified in seconds. By default,
      -     * {@code -1} indicating the cookie will persist until browser shutdown.
      +     * Returns the maximum age of the cookie, specified in seconds from the time
      +     * the object was created. By default, {@code -1} indicating the cookie will
      +     * persist until browser shutdown.
      +     *
      +     * The value of this attribute is determined by the following steps, in line
      +     * with RFC 6265:
      +     *
      +     * <ol><li>If {@link #setMaxAge(long)} was called, return the value set.</li>
      +     * <li>If previous step failed, and a {@code Max-Age} attribute was parsed
      +     * then return that value.</li>
      +     * <li>If previous step failed, and an {@code Expires} attribute was parsed
      +     * then the maxAge calculated at parsing time from that date, is returned</li>
      +     * <li>If previous step failed, then return {@code -1}.</li></ol>
            *
            * @return  an integer specifying the maximum age of the cookie in seconds
            *
            * @see  #setMaxAge
            */
          public long getMaxAge() {}

            michaelm Michael McMahon
            webbuggrp Webbug Group
            Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: