https://bz.apache.org/bugzilla/show_bug.cgi?id=65505
Bug ID: 65505 Summary: MimeHeaders setValue Order problem Product: Tomcat 9 Version: 9.0.43 Hardware: All Status: NEW Severity: normal Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: liuzeha...@gmail.com Target Milestone: ----- If I use Shiro's rememberMe when COMPRESSION is enabled, it will cause rememberMe's cookie to fail to work import org.apache.tomcat.util.http.MimeHeaders; import org.apache.tomcat.util.http.ResponseUtil; import org.junit.Test; public class TomcatMixHeadersTest { /*** * === MimeHeaders === * Vary = Origin * Vary = Access-Control-Request-Method * Vary = Access-Control-Request-Headers * Access-Control-Allow-Origin = https://xxxx * Access-Control-Allow-Credentials = true * Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax * Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax */ @Test public void testMimeHeaders() { MimeHeaders responseHeaders = new MimeHeaders(); responseHeaders.addValue("Vary").setString("Origin"); responseHeaders.addValue("Vary").setString("Access-Control-Request-Method"); responseHeaders.addValue("Vary").setString("Access-Control-Request-Headers"); responseHeaders.addValue("Access-Control-Allow-Origin").setString("https://xxxx"); responseHeaders.addValue("Access-Control-Allow-Credentials").setString("true"); responseHeaders.addValue("Set-Cookie").setString("rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax"); responseHeaders.addValue("Set-Cookie").setString("rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax"); System.out.println(responseHeaders); ResponseUtil.addVaryFieldName(responseHeaders, "accept-encoding"); // same up code // responseHeaders.setValue("Vary").setString("origin,access-control-request-method,access-control-request-headers,accept-encoding"); System.out.println(responseHeaders); } } The execution result is === MimeHeaders === Vary = Origin Vary = Access-Control-Request-Method Vary = Access-Control-Request-Headers Access-Control-Allow-Origin = https://xxxx Access-Control-Allow-Credentials = true Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax === MimeHeaders === Vary = origin,access-control-request-method,access-control-request-headers,accept-encoding Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax Access-Control-Allow-Origin = https://xxxx Access-Control-Allow-Credentials = true The order of the Header set-cookie was changed, The code source address is org/apache/tomcat/embed/tomcat-embed-core/9.0.43/tomcat-embed-core-9.0.43-sources.jar!/org/apache/coyote/CompressionConfig.java:280 org.apache.tomcat.util.http.ResponseUtil#addVaryFieldName(org.apache.tomcat.util.http.MimeHeaders, java.lang.String) org.apache.tomcat.util.http.MimeHeaders#setValue -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org