Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19591

(7.2.z) UNDERTOW-1716 - Allow colon in the request cookie value regardless of setting ALLOW_HTTP_SEPARATORS_IN_V0

XMLWordPrintable

      As of JBEAP-16975 / UNDERTOW-1548, http separators are not allowed in V0 cookie value unless io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 is set to true.
      So, Undertow truncates the cookie value after any http separators by default (because of being compatible with EAP 6).

      However, "<hostcontroller-name>:<server-name>" (e.g. master:node1) is added to the JSESSIONID cookie as jvmRoute (instance-id) by default in WildFly domain mode. Hence, colon ":" (one of http separators) is included in the cookie value. For example:

      JSESSIONID="WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_.master:node1"
      

      So, the request cookie will be parsed and handled as WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_.master (= the cookie value only before colon ":").

      This behavior is still okay when it's working as an application server. Because a cookie value is decoded by WildFly's CodecSessionConfig and WildFly handles only the cookie value before period "." (WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_ in the above example). So, the result is the same regardless of having colon ":" in after period "." in the cookie value. So far so good.

      However, this default behavior becomes a problem when WildFly/Undertow runs as a load balancer (configured with <reverse-proxy> or <mod-cluster>). Because Undertow needs to handle the jvmRoute part (master:node1 in the above example) which contains ":" correctly in the request cookie value to maintain the sticky session.

      Let's change Undertow to allow ":" in the request cookie value regardless of the io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting.

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: