[jira] [Commented] (AXIS2-5608) Axis2 ignores cookie values other than JSESSIONID/axis_session from http response headers

Sun, 29 May 2016 04:16:23 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15305861#comment-15305861
 ] 

Hudson commented on AXIS2-5608:
-------------------------------

SUCCESS: Integrated in Axis2 #3537 (See 
[https://builds.apache.org/job/Axis2/3537/])
Revert r1527429 (AXIS2-5608).

Reasons:
* That code change is responsible for the regression described in AXIS2-5772.
* It has zero test coverage.
* If multiple Set-Cookie headers are present, the code concatenates their 
values to a single string with ';' used as the separator. That's obviously 
incorrect. (veithen: rev 1745982)
* 
axis2/modules/transport/http-hc3/src/main/java/org/apache/axis2/transport/http/impl/httpclient3/HTTPSenderImpl.java
* 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/impl/httpclient4/HTTPSenderImpl.java


> Axis2 ignores cookie values other than JSESSIONID/axis_session from http 
> response headers
> -----------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5608
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5608
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Kishanthan Thangarajah
>            Assignee: Kishanthan Thangarajah
>             Fix For: 1.7.0
>
>
> Currently in HTTPSenderImpl#obtainHTTPHeaderInformation, the Session Cookie 
> string is constructed by checking only JSEESIONID/axis_session from response 
> headers and then adding them as cookie string. It ignores other values which 
> are coming with Set-Cookie from response headers. This will cause issues with 
> session stickiness, if a client application tries to call some services via a 
> load-balancer, where the load-balancer has its own way of handling session 
> stickiness with its own cookie header.
> For example, if the requests are going through an Amazon ELB, it expect a 
> cookie named as "AWSELB" to identify the correct node. But this will fail, if 
> the client did not send the that cookie with the request, as axis2 client 
> only sends the JSESSIONID.
> As a fix, we can remove the check for specific values (eg : JSESSIONID), and 
> set whatever the Set-Cookie values coming with response headers as the Cookie 
> string value. This will not break any existing apps because, it does not 
> remove any values rather it adds those missing values.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to