8276774 Solution Proposal for Cookie stored in CookieHandler not sent if user headers contain cookie

Daniel Fuchs daniel.fuchs at oracle.com
Mon Nov 8 12:05:31 UTC 2021


Hi Pierre,

Thanks for reporting this issue, and thanks for the detailed
explanations. We will have a look at this.

My first thought is that the fix might be a bit more complex
than what you are suggesting here - since we might want
to let a user cookie override the value of a system cookie.
So we might need to fix `collectCookies` to allow for that too.
This probably needs some further investigation.

best regards,

-- daniel

On 08/11/2021 06:32, pierre.viret at postfinance.ch wrote:
> Hi
> 
> I have filled a bug report for a problem with Cookie in HttpClient and 
> following bug was opened now:
> 
> Issue: https://bugs.openjdk.java.net/browse/JDK-8276774 
> <https://bugs.openjdk.java.net/browse/JDK-8276774>
> 
> Proposal to solve the problem for Http/1.1:
> 
> ·Class jdk/internal/net/http/Http1Request.java, Method collectHeaders0
> 
> ·Replace line 112 with: HttpHeaders filteredSystemHeaders 
> =HttpHeaders.of(systemHeaders.map(), (k,v) ->uh.firstValue(k).isEmpty());
> 
> ·Replace line 118 with: collectHeaders1(sb, filteredSystemHeaders, 
> nocookies);
> 
> The idea is that the line 127: “collectCookies(sb, systemHeaders, 
> userHeaders);”  will then use the real system headers containing the 
> Cookie header with the cookies from the CookieManager, and so we should 
> collect both cookies from userHeaders and from systemHeaders together.
> 
> Could someone please check this and perform the fix ?
> 
> Note that the same problem probably impacts the HTTP/2 implementation as 
> the same filter is used in 
> jdk.internal.net.http.Stream.headerFrame(long) at line 658
> 
> sysh =HttpHeaders.of(sysh.map(), (k,v) ->uh.firstValue(k).isEmpty());
> 
> So we should check this case, too.
> 
> Regards,
> 
> Pierre
> 
> 
> 
> Remarque concernant la sécurité: Ce courriel provenant de PostFinance 
> est signé. Vous trouverez d'autres informations à ce sujet sous: 
> https://www.postfinance.ch/e-signature. Ne divulguez jamais vos éléments 
> de sécurité à des tiers.
> 



More information about the net-dev mailing list