JBEAP-16975 / UNDERTOW-1548, http separators are not allowed in V0 cookie value unless io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 is set to true.
So, Undertow truncates the cookie value after any http separators by default (because of being compatible with EAP 6).
However, "<hostcontroller-name>:<server-name>" (e.g. master:node1) is added to the JSESSIONID cookie as jvmRoute (instance-id) by default in WildFly domain mode. Hence, colon ":" (one of http separators) is included in the cookie value. For example:
So, the request cookie will be parsed and handled as WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_.master (= the cookie value only before colon ":").
This behavior is still okay when it's working as an application server. Because a cookie value is decoded by WildFly's CodecSessionConfig and WildFly handles only the cookie value before period "." (WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_ in the above example). So, the result is the same regardless of having colon ":" in after period "." in the cookie value. So far so good.
However, this default behavior becomes a problem when WildFly/Undertow runs as a load balancer (configured with <reverse-proxy> or <mod-cluster>). Because Undertow needs to handle the jvmRoute part (master:node1 in the above example) which contains ":" correctly in the request cookie value to maintain the sticky session.
Let's change Undertow to allow ":" in the request cookie value regardless of the io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting.