8276774 Solution Proposal for Cookie stored in CookieHandler not sent if user headers contain cookie
Daniel Fuchs
daniel.fuchs at oracle.com
Mon Nov 8 12:05:31 UTC 2021
Hi Pierre,
Thanks for reporting this issue, and thanks for the detailed
explanations. We will have a look at this.
My first thought is that the fix might be a bit more complex
than what you are suggesting here - since we might want
to let a user cookie override the value of a system cookie.
So we might need to fix `collectCookies` to allow for that too.
This probably needs some further investigation.
best regards,
-- daniel
On 08/11/2021 06:32, pierre.viret at postfinance.ch wrote:
> Hi
>
> I have filled a bug report for a problem with Cookie in HttpClient and
> following bug was opened now:
>
> Issue: https://bugs.openjdk.java.net/browse/JDK-8276774
> <https://bugs.openjdk.java.net/browse/JDK-8276774>
>
> Proposal to solve the problem for Http/1.1:
>
> ·Class jdk/internal/net/http/Http1Request.java, Method collectHeaders0
>
> ·Replace line 112 with: HttpHeaders filteredSystemHeaders
> =HttpHeaders.of(systemHeaders.map(), (k,v) ->uh.firstValue(k).isEmpty());
>
> ·Replace line 118 with: collectHeaders1(sb, filteredSystemHeaders,
> nocookies);
>
> The idea is that the line 127: “collectCookies(sb, systemHeaders,
> userHeaders);” will then use the real system headers containing the
> Cookie header with the cookies from the CookieManager, and so we should
> collect both cookies from userHeaders and from systemHeaders together.
>
> Could someone please check this and perform the fix ?
>
> Note that the same problem probably impacts the HTTP/2 implementation as
> the same filter is used in
> jdk.internal.net.http.Stream.headerFrame(long) at line 658
>
> sysh =HttpHeaders.of(sysh.map(), (k,v) ->uh.firstValue(k).isEmpty());
>
> So we should check this case, too.
>
> Regards,
>
> Pierre
>
>
>
> Remarque concernant la sécurité: Ce courriel provenant de PostFinance
> est signé. Vous trouverez d'autres informations à ce sujet sous:
> https://www.postfinance.ch/e-signature. Ne divulguez jamais vos éléments
> de sécurité à des tiers.
>
More information about the net-dev
mailing list