Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2082

HTTP/2 doesn't reassemble cookie headers violating rfc7540



    • Bug
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • None
    • 2.3.0.Final
    • Core
    • None


      https://www.rfc-editor.org/rfc/rfc7540#section- states

      To allow for better compression efficiency, the Cookie header field
         MAY be split into separate header fields, each with one or more
         cookie-pairs.  If there are multiple Cookie header fields after
         decompression, these MUST be concatenated into a single octet string
         using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
         before being passed into a non-HTTP/2 context, such as an HTTP/1.1
         connection, or a generic HTTP server application.

      When an HTTP/2 request which multiple cookie headers is send to Undertow, the following happens:

      • The HTTPServertExchange has all cookies
      • The HTTPServletRequest has all cookies
      • The multiple cookie headers are NOT combined into a single cookie header again per the spec

      This breaks applications who do their own parsing of the cookie header and only grab the first (or last) cookie header as they will only "see" one cookie.  It is forbidden to have more than one cookie header in HTTP/1.

      Undertow needs to correctly reassemble multiple cookie headers from HTTP/2 requests into a single header so app can properly parse the header manually.




            rhn-cservice-bbaranow Bartosz Baranowski
            bdw429s Brad Wood
            2 Vote for this issue
            6 Start watching this issue