[
https://issues.apache.org/jira/browse/CXF-9088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17906227#comment-17906227
]
Andriy Redko edited comment on CXF-9088 at 12/17/24 1:07 AM:
-------------------------------------------------------------
Hi [~dsylaiev] , I am not sure what exactly httpbin.org does under the hood,
but this is what CXF sends as the Cookie header:
> Cookie=[$Version="1"; 1=2; $Path=/]}
It comes directly from CXF's internal Cookie class:
[https://github.com/apache/cxf/blob/main/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Cookie.java#L148.|https://github.com/apache/cxf/blob/main/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Cookie.java#L148]
It uses legacy [https://datatracker.ietf.org/doc/html/rfc2109] which
httpbin.org seems to be not supporting (nor
https://datatracker.ietf.org/doc/html/rfc2965).
was (Author: reta):
Hi [~dsylaiev] , I am not sure what exactly httpbin.org does under the hood,
but this is what CXF sends as the Cookie header:
> Cookie=[$Version="1"; 1=2; $Path=/]}
It comes directly from CXF's internal Cookie class:
[https://github.com/apache/cxf/blob/main/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Cookie.java#L148.|https://github.com/apache/cxf/blob/main/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Cookie.java#L148]
It uses legacy [https://datatracker.ietf.org/doc/html/rfc2109] which
httpbin.org seems to be not supporting.
> Set-Cookies set the incorrect metadata on redirect Cookies header when
> maintain session
> ---------------------------------------------------------------------------------------
>
> Key: CXF-9088
> URL: https://issues.apache.org/jira/browse/CXF-9088
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.5.9, 4.0.5, 3.6.4
> Reporter: Dmytro Sylaiev
> Priority: Major
>
> When executing this code:
>
> {noformat}
> WebClient webClient = WebClient.create("http://httpbin.org/cookies/set/1/2";);
> ClientConfiguration config = WebClient.getConfig(webClient);
> config.getRequestContext().put(Message.MAINTAIN_SESSION, true);
> config.getRequestContext()
> .put("http.redirect.relative.uri", "true");
> HTTPConduit httpConduit = WebClient.getConfig(webClient).getHttpConduit();
> HTTPClientPolicy policy = httpConduit.getClient();
> policy.setAutoRedirect(true);
> Response r = webClient.get();
> System.out.println(r.getStatus());
> System.out.println("===");
> System.out.println("Response cookies: ");
> r.getCookies().forEach((k, v) -> {
> System.out.println(k + " : " + v.getName() + "=" + v.getValue());
> });
> System.out.println("===");
> System.out.println("Session cookies: ");
> httpConduit.getCookies().forEach((k, v) -> {
> System.out.println(k + " : " + v.getName() + "=" + v.getValue());
> });
> System.out.println("===");
> while (((InputStream) r.getEntity()).available() > 0) {
> System.out.print((char) ((InputStream) r.getEntity()).read());
> }
> r.close();
> {noformat}
> the result is
>
> {noformat}
> 200
> ===
> Response cookies:
> ===
> Session cookies:
> 1 : 1=2
> ===
> {
> "cookies": {
> "$Path": "/",
> "$Version": "1",
> "1": "2"
> }
> }
> {noformat}
> so the session cookie on CXF side is correct but the endpoint (the
> /cookies/set/1/2/ returns a Set-Cookie header and then redirects on one which
> displays what Cookie header it receives) shows that after the Set-Cookie
> header was received, the redirect with Cookie header still contains $Path and
> $Version attributes as a separate cookies.
>
> Unlike in Postman or Curl, where the response body with maintain session is
> {noformat}
> {
> "cookies": {
> "1": "2"
> }
> }{noformat}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
