On Wed, 2019-01-30 at 14:31 +0200, Svetlin Zarev wrote: > Hi, > > HttpClientVersion 4.5.6/7 does not validate the cookie’s path > attribute. Is > this intentional ? >
It depends on the _specific_ policy used by HttpClient and _specific_ version of the cookie being processed. Oleg > > With version 4.1.3 I have the following behavior: > 1. Http clients makes a request with URI “…/actual-path” > 2. Server sends a Set-Cookie header with path attribute > “Path=/cookie-path” > 3. Http client rejects the cookie with a warning: > > Cookie rejected: "[version: 0][name: actual_path][value: > /actual-path][domain: localhost][path: /cookie-path][expiry: null]". > Illegal path attribute "/cookie-path". Path of origin: "/actual-path" > > > With version 4.5.6, the behaviour is different: > 1. Http clients makes a request with URI “…/actual-path” > 2. Server sends a Set-Cookie header with path attribute > “Path=/cookie-path” > 3. The cookie store now contains the cookie sent by the server. > > I’ve managed to trace the root cause to > org.apache.http.impl.cookie.BasicPathHandler#validate > > In version 4.1.3 it was validating the cookie path by calling > org.apache.http.impl.cookie.BasicPathHandler#match and if it returns > false, > then validate() fails with an exception. > > In version 4.5.6, validate() does not do anything. > > Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve > Just git clone & run mvn clean test > > Thanks and best regards, > Svetlin --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org