-
Bug
-
Resolution: Done
-
Major
-
2.0.30.Final, 2.1.1.Final
-
None
As of JBEAP-16975 / UNDERTOW-1548, http separators are not allowed in V0 cookie value unless io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 is set to true.
So, Undertow truncates the cookie value after any http separators by default (because of being compatible with EAP 6).
However, "<hostcontroller-name>:<server-name>" (e.g. master:node1) is added to the JSESSIONID cookie as jvmRoute (instance-id) by default in WildFly domain mode. Hence, colon ":" (one of http separators) is included in the cookie value. For example:
JSESSIONID="WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_.master:node1"
So, the request cookie will be parsed and handled as WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_.master (= the cookie value only before colon ":").
This behavior is still okay when it's working as an application server. Because a cookie value is decoded by WildFly's CodecSessionConfig and WildFly handles only the cookie value before period "." (WCGWBPJ8DUmv0fvREqVQZb8E6bzW92iHnzysV_q_ in the above example). So, the result is the same regardless of having colon ":" in after period "." in the cookie value. So far so good.
However, this default behavior becomes a problem when WildFly/Undertow runs as a load balancer (configured with <reverse-proxy> or <mod-cluster>). Because Undertow needs to handle the jvmRoute part (master:node1 in the above example) which contains ":" correctly in the request cookie value to maintain the sticky session.
Let's change Undertow to allow ":" in the request cookie value regardless of the io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting.
- is cloned by
-
JBEAP-19590 (7.3.z) UNDERTOW-1716 - Allow colon in the request cookie value regardless of setting ALLOW_HTTP_SEPARATORS_IN_V0
- Closed
- is duplicated by
-
UNDERTOW-1626 Cookie value is truncated on colon (':')
- Resolved
- relates to
-
WEJBHTTP-30 Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster
- Resolved
-
JBEAP-17633 [GSS](7.2.z) WEJBHTTP-30 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster
- Closed
-
JBEAP-18605 [GSS](7.3.z) WEJBHTTP-30 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster
- Closed