Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.4.0.Final, EE 1.0.0.Final, EE 2.0.0.Final, 2.4.0.Beta1, EE 2.0.0.Alpha2, EE 1.0.0.Alpha1
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1408, https://github.com/undertow-io/undertow/pull/1428, https://github.com/undertow-io/undertow/pull/1903, https://github.com/undertow-io/undertow-ee/pull/60, https://github.com/undertow-io/undertow-ee/pull/61

Just so stuff does not get lost. Cookie parsing code should be revised and fixed. Keypoints:

natural ordering is bad, cookie order should be retained, clients, according to specs SHOULD order by best match first(most likely only for v1?).
cookie parsing, especially V1( rfc2109.txt ) depend on cookies being separated, which is incorrect:
The syntax for the header is:
4.3.4 Sending Cookies to the Origin Server
cookie = "Cookie:" cookie-version
1*((";" | ",") cookie-value)
cookie-value = NAME "=" VALUE [";" path] [";" domain]
cookie-version = "$Version" "=" value
NAME = attr
VALUE = value
path = "$Path" "=" value
domain = "$Domain" "=" value
possibly check rfc2109 vs 6265 cookie parsing?

blocks

UNDERTOW-2149 Wrong SessionID returned due to multiple JSESSIONID cookies with different path

is incorporated by

WFCORE-7475 Upgrade Undertow to 2.4.x

is related to

UNDERTOW-2089 RFC 6265 treats the attributes of an RFC 2109 cookie as a separate cookies

relates to

UNDERTOW-2082 HTTP/2 doesn't reassemble cookie headers violating rfc7540 8.1.2.5