[
https://issues.apache.org/jira/browse/GERONIMO-3861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangjin Lee updated GERONIMO-3861:
----------------------------------
Attachment: GERONIMO-3861.patch
I'm submitting a suggested fix. Please take a look at it, and let me know if
you would like to discuss some of the elements of the fix...
- Created an interface that encapsulates the cookie validation strategy:
CookiePolicy.
- Provided a couple of implementations: DefaultCookiePolicy & NullCookiePolicy.
- When parsing incoming cookies, provide default values for domain & path
attributes if either is missing.
- To do the above, HttpResponseMessage now has a reference to the request URL
(I did not add a reference to the HttpRequestMessage object as I think it's bit
more heavyweight than retaining the request URL).
- CookiePolicy is set on AsyncHttpClient, and is transferred to
HttpRequestMessage when messages are sent.
- The default CookiePolicy is DefaultCookiePolicy.
- Wrote unit tests for cookie validation.
It is working as expected, but I think some details still have room for
discussion. I'd love to hear your thoughts.
Thanks,
Sangjin
> cookies need to be validated and filtered
> -----------------------------------------
>
> Key: GERONIMO-3861
> URL: https://issues.apache.org/jira/browse/GERONIMO-3861
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: AsyncHttpClient
> Affects Versions: 1.x
> Reporter: Sangjin Lee
> Assignee: Rick McGuire
> Priority: Minor
> Attachments: GERONIMO-3861.patch
>
>
> Today AHC simply accepts all cookies from the response and emit all cookies
> in the request. However, the attributes need to be taken into consideration
> when we set the cookies as well as when we send them. Two parts of the issue:
> [1] When we emit the cookies in the request, we need to check
> - if the domain matches
> - if the path matches
> - if the cookie has not expired
> - and if the cookie is secure (if the request protocol is http)
> before adding it to the Cookie header.
> [2] When we accept the cookies in the response, we need to check for the
> domain and the path. Note that we do not discard expired cookies, as that's
> often a way to delete an existing cookie.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
