Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
3.0.19.Final, 3.1.0.Beta2
-
None
Description
Hi
While debugging an authentication issue with a rest api i discovered that the current implementation is not spec compliant in two ways:
1) Client sends back too much data to the server
When executing a simple client request with a Cookie like this:
ClientBuilder.newClient().target("http://localhost:8080").request().cookie(new Cookie("myCookieName", "myCookieValue", "/mypath", "mydomain")).get(String.class);
The http header sent to the server is:
Cookie: myCookieName=myCookieValue; Domain=mydomain; Path=/mypath
From my reading of the spec, it should only send:
Cookie: myCookieName=myCookieValue
The header is generated by CookieHeaderDelegate which is probably also used in other parts of the system so I don't have a quickfix.
2) Multiple cookies are sent as separate headers
ClientBuilder.newClient().target("http://localhost:8080").request().cookie(new Cookie("firstCookieName", "firstCookieValue", "/firstCookiepath", "firstCookieDomain")).cookie(new Cookie("secondCookieName", "secondCookieValue", "/secondCookiepath", "secondCookieDomain")).get(String.class);
Generated headers:
Cookie: firstCookieName=firstCookieValue; Domain=firstCookieDomain; Path=/firstCookiepath
Cookie: secondCookieName=secondCookieValue; Domain=secondCookieDomain; Path=/secondCookiepath
Expected header:
Cookie: firstCookieName=firstCookieValue; secondCookieName=secondCookieValue
The specification states:
When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.
The above examples are simplified, I found the issue after a couple of days of debugging an authentication issue where a NewCookie from a response was sent directly back in a request.
The header is generated by CookieHeaderDelegate which is probably also used in other parts of the system so I don't have a quickfix.
Attachments
Issue Links
- is incorporated by
-
-
- Resolved
-
