Hi, HttpClientVersion 4.5.6/7 does not validate the cookie’s path attribute. Is this intentional ?
With version 4.1.3 I have the following behavior: 1. Http clients makes a request with URI “…/actual-path” 2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path” 3. Http client rejects the cookie with a warning: Cookie rejected: "[version: 0][name: actual_path][value: /actual-path][domain: localhost][path: /cookie-path][expiry: null]". Illegal path attribute "/cookie-path". Path of origin: "/actual-path" With version 4.5.6, the behaviour is different: 1. Http clients makes a request with URI “…/actual-path” 2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path” 3. The cookie store now contains the cookie sent by the server. I’ve managed to trace the root cause to org.apache.http.impl.cookie.BasicPathHandler#validate In version 4.1.3 it was validating the cookie path by calling org.apache.http.impl.cookie.BasicPathHandler#match and if it returns false, then validate() fails with an exception. In version 4.5.6, validate() does not do anything. Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve Just git clone & run mvn clean test Thanks and best regards, Svetlin
