Skip to content

Conversation

@plevart
Copy link

@plevart plevart commented Jul 27, 2021

I propose this patch for issue #2811

…eaders instead of ',' which does not work for some servers any more. HttpUrlConnector and JdkConnector are affected.
@plevart
Copy link
Author

plevart commented Jul 27, 2021

I have now signed ECA. How to force a re-check above?
EDIT: I was automatic. It now passes the check.

@plevart
Copy link
Author

plevart commented Jul 29, 2021

Just a note that the presented patch solves my problem of correctly interpreting Cookies on the server side.

@jansupol
Copy link
Contributor

Note: Cookie2 is from RFC 2965, obsolete by RFC 6265.

@jansupol
Copy link
Contributor

Hi, thank you for your PR.

I am not sure about this. The HTTP headers are delimited by "," separator, whereas ";" separator is used to separate multiple parts of a single HTTP header value. For instance Accept-Encoding: compress;q=0.5, gzip;q=1.0.

The question is how the header values got split into multiple strings in the list when ";" is used. Unfortunately, there are multiple ways to enter the headers into Jersey. A test case would make it clear how was it done.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

Unfortunately, there are multiple ways to enter the headers into Jersey. A test case would make it clear how was it done.

These headers were not "entered" into Jersey by the app, but by the JdkConnectorProvider or HttpUrlConnectorProvider as part of processing the Set-Cookie response header which stores cookies that are later added to Cookie request header that follows. So this works automatically without any user code. It mimics what browsers do with cookies.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

I am not sure about this. The HTTP headers are delimited by "," separator, whereas ";" separator is used to separate multiple parts of a single HTTP header value. For instance Accept-Encoding: compress;q=0.5, gzip;q=1.0.

See: https://datatracker.ietf.org/doc/html/rfc6265#section-5.4

There should only be one Cookie request header (there can be many Set-Cookie response headers), so multiple cookie values (which are pairs of key=value) must be sent with singe Cookie request header. You can view multiple key=value pairs as parts of a single Cookie header value which are delimited with ';'. A single key=value pair will never have ';' in it, so this should be safe.

For examle, taking a look at what Mozilla Firefox does. It sends a single Cookie request header that looks like this:

Cookie: experimentation_subject_id=censored_value; _ga=censored_value; _fbp=censored_value; _rdt_uuid=censored_value

In this example, 4 cookies were being sent to the server.

@plevart
Copy link
Author

plevart commented Sep 10, 2021

Note: Cookie2 is from RFC 2965, obsolete by RFC 6265.

I agree, the patch should only consider "Cookie" as the request header when special-casing the concatenation of parts (values).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants