Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use '; ' as a separator between values of Cookie or Cookie2 request headers instead of ',' ... #4831

Open
wants to merge 4 commits into
base: 2.x
Choose a base branch
from
Open

Use '; ' as a separator between values of Cookie or Cookie2 request headers instead of ',' ... #4831

wants to merge 4 commits into from

Conversation

plevart
Copy link

@plevart plevart commented Jul 27, 2021

I propose this patch for issue #2811

@plevart
Use '; ' as a separator between values of Cookie or Cookie2 request h…
6c25f59 
…eaders instead of ',' which does not work for some servers any more. HttpUrlConnector and JdkConnector are affected.
@plevart
Copy link
Author

plevart commented Jul 27, 2021
edited

I have now signed ECA. How to force a re-check above?
EDIT: I was automatic. It now passes the check.

@plevart
Copy link
Author

plevart commented Jul 29, 2021

Just a note that the presented patch solves my problem of correctly interpreting Cookies on the server side.

@jansupol
Copy link
Contributor

Note: Cookie2 is from RFC 2965, obsolete by RFC 6265.

@jansupol
Copy link
Contributor

Hi, thank you for your PR.

I am not sure about this. The HTTP headers are delimited by "," separator, whereas ";" separator is used to separate multiple parts of a single HTTP header value. For instance Accept-Encoding: compress;q=0.5, gzip;q=1.0.

The question is how the header values got split into multiple strings in the list when ";" is used. Unfortunately, there are multiple ways to enter the headers into Jersey. A test case would make it clear how was it done.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

Unfortunately, there are multiple ways to enter the headers into Jersey. A test case would make it clear how was it done.

These headers were not "entered" into Jersey by the app, but by the JdkConnectorProvider or HttpUrlConnectorProvider as part of processing the Set-Cookie response header which stores cookies that are later added to Cookie request header that follows. So this works automatically without any user code. It mimics what browsers do with cookies.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

I am not sure about this. The HTTP headers are delimited by "," separator, whereas ";" separator is used to separate multiple parts of a single HTTP header value. For instance Accept-Encoding: compress;q=0.5, gzip;q=1.0.

See: https://datatracker.ietf.org/doc/html/rfc6265#section-5.4

There should only be one Cookie request header (there can be many Set-Cookie response headers), so multiple cookie values (which are pairs of key=value) must be sent with singe Cookie request header. You can view multiple key=value pairs as parts of a single Cookie header value which are delimited with ';'. A single key=value pair will never have ';' in it, so this should be safe.

For examle, taking a look at what Mozilla Firefox does. It sends a single Cookie request header that looks like this:

Cookie: experimentation_subject_id=censored_value; _ga=censored_value; _fbp=censored_value; _rdt_uuid=censored_value

In this example, 4 cookies were being sent to the server.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

Note: Cookie2 is from RFC 2965, obsolete by RFC 6265.

I agree, the patch should only consider "Cookie" as the request header when special-casing the concatenation of parts (values).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@plevart @jansupol