Kishanthan Thangarajah created AXIS2-5608:
---------------------------------------------
Summary: Axis2 ignores cookie values other than
JSESSIONID/axis_session from http response headers
Key: AXIS2-5608
URL: https://issues.apache.org/jira/browse/AXIS2-5608
Project: Axis2
Issue Type: Bug
Affects Versions: 1.6.2
Reporter: Kishanthan Thangarajah
Assignee: Kishanthan Thangarajah
Fix For: 1.7.0
Currently in HTTPSenderImpl#obtainHTTPHeaderInformation, the Session Cookie
string is constructed by checking only JSEESIONID/axis_session from response
headers and then adding them as cookie string. It ignores other values which
are coming with Set-Cookie from response headers. This will cause issues with
session stickiness, if a client application tries to call some services via a
load-balancer, where the load-balancer has its own way of handling session
stickiness with its own cookie header.
For example, if the requests are going through an Amazon ELB, it expect a
cookie named as "AWSELB" to identify the correct node. But this will fail, if
the client did not send the that cookie with the request, as axis2 client only
sends the JSESSIONID.
As a fix, we can remove the check for specific values (eg : JSESSIONID), and
set whatever the Set-Cookie values coming with response headers as the Cookie
string value. This will not break any existing apps because, it does not remove
any values rather it adds those missing values.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
