Session cookie implementation in SimpleHttpServer is error prone
----------------------------------------------------------------
Key: AXIS2-839
URL: http://issues.apache.org/jira/browse/AXIS2-839
Project: Apache Axis 2.0 (Axis2)
Type: Improvement
Components: transports
Versions: 1.0
Reporter: Oleg Kalnichevski
(1) Presently both SimpleHttpServer and AbstractHTTPSender are unable to
differentiate session cookies from other cookies. The first cookie found the
request / response is assumed to contain the session identifier. For instance,
these perfectly valid HTTP requests will cause the session manager to pick a
wrong session context
POST /whatever HTTP/1.1
Cookie: somecookie=somevalue
Cookie: urn:uuid:xxxxx
POST /whatever HTTP/1.1
Cookie: somecookie=somevalue, urn:uuid:xxxxx
The patch attempts to rectify the situation by giving the session cookie a
distinguishable name
POST /whatever HTTP/1.1
Cookie: somecookie=somevalue
Cookie: axis_session=urn:uuid:xxxxx
POST /whatever HTTP/1.1
Cookie: somecookie=somevalue, axis_session=urn:uuid:xxxxx
(2) The patch also fixes the incorrect handling of Set-Cookie2 headers in the
AbstractHTTPSender
Please note the patch may break badly written clients dependent on the existing
session cookie implementation.
Oleg
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
