Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-961

Only last cookie is parsed (out of a multi-cookies "Cookie" header)


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • 3.0.5.Final
    • 3.0.4.Final
    • jaxrs
    • None

      Both RFC 2109 (which JAX-RS follows despite not being implemented by anyone) and RFC 6265 (which documents and specify how cookies actually work on the web) allow multiple cookies per Cookie header, separated by ;.

      RFC 2109 makes it a bit harder to parse those as it allows $Version, $Path and $Domain to be sent along with the name-value pair, but still.

      Jersey has it right: https://github.com/jersey/jersey/blob/e3d0c1b14eccf108262279f3f15ffbe8514a322d/core-common/src/main/java/org/glassfish/jersey/message/internal/CookiesParser.java#L73

      Resteasy on the other hand will only parse a single name-value pair per Cookie header, the last one, ignoring all other cookies in the header.

      Add to that the reliance of JAX-RS on RFC 2109 and you have something unusable in practice.

            patriot1burke@gmail.com Bill Burke (Inactive)
            t.broyer Thomas Broyer (Inactive)
            0 Vote for this issue
            2 Start watching this issue