Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2082

HTTP/2 doesn't reassemble cookie headers violating rfc7540 8.1.2.5

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.3.0.Final
    • None
    • Core
    • None

      https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5 states

      To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.

      When an HTTP/2 request which multiple cookie headers is send to Undertow, the following happens:

      • The HTTPServertExchange has all cookies
      • The HTTPServletRequest has all cookies
      • The multiple cookie headers are NOT combined into a single cookie header again per the spec

      This breaks applications who do their own parsing of the cookie header and only grab the first (or last) cookie header as they will only "see" one cookie.  It is forbidden to have more than one cookie header in HTTP/1.

      Undertow needs to correctly reassemble multiple cookie headers from HTTP/2 requests into a single header so app can properly parse the header manually.

        1. image-2022-05-06-09-15-19-404.png
          image-2022-05-06-09-15-19-404.png
          37 kB
        2. image-2022-05-06-09-16-06-239.png
          image-2022-05-06-09-16-06-239.png
          40 kB

              rhn-cservice-bbaranow Bartosz Baranowski
              bdw429s Brad Wood
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: