We use something like this:
response.addHeader("Set-Cookie",
"[email protected]|1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
path=/; httpOnly");
called different times with different names (and also a secure only cookie)
since we also need the httpOnly flag to be set thus it's not possible to use
the normal javax. sevlet.http.Cookie class.
Tampering the request we see that the header value is :
[email protected]|1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
path=/; httpOnly
user_logged_in=true; path=/
[email protected]|1263863681|+jZzblDmjCo1wWFZOdxRaQ==|3r1WMPuUk2ghrvl+3RmcIPLjueD8fjBYPnbBN/s+3j0=;
path=/; httpOnly; Secure
where the carriage return seems to be used aas separator.
To get the values I used this code:
String cookieHeaderString =
new org.apache.cxf.jaxrs.impl.MetadataMap<String,
String>(
(Map<String, List<String>>) m
.get(Message.PROTOCOL_HEADERS))
.getFirst("Cookie");
// XXX: In some systems instead of Cookie, cookie must be used.
if (cookieHeaderString == null) {
cookieHeaderString =
new org.apache.cxf.jaxrs.impl.MetadataMap<String,
String>(
(Map<String, List<String>>) m
.get(Message.PROTOCOL_HEADERS))
.getFirst("cookie");
}
the double call is because in linux+jboss+firefox instead of 'Cookie',
'cookie' is used.
changing the ; to ' when settinh the header value doesn't change the
behaviour. the call to:
Map<String, Cookie> cookies = headers.getCookies();
alwasy returns only a cookie (the user_logged_in one).
Cheers,
V.
On Mon, Jan 18, 2010 at 11:51 AM, Sergey Beryozkin <[email protected]>wrote:
> Hi
>
>
> We have a single cookie header containing multiple values.
>>
>> Example:
>> [email protected]
>> |1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;
>> user_logged_in=true
>>
>> I realized we are not encoding the cookie values,maybe this is the
>> problem... I'm going to try right now.
>>
>
> Looks like the problem is that a ';' separator is used as a delimeter
> between multiple value, one cookie value is
>
>
> "[email protected]
> |1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;"
>
> and another one is
>
> "user_logged_in=true"
>
> Is it possible for you to use a ',' as a separator ? Now, looking at [1] I
> can see
>
> "Cookie:" cookie-version 1*((";" | ",") cookie-value)
> so perhaps some cookies might contain a ',' as a separator between a
> version and the actual value, but all cookies I've seen so far do use ';'.
>
> Also, I fixed yesterday an issue with multiple Cookie headers not being
> handled properly. So, right now, you need to use a ',' just before
> user_logged_in=true and starting from 2.2.6 (due in few days or so) you'd be
> able to use multiple Cookie headers as well...
>
> cheers, Sergey
>
> [1] http://tools.ietf.org/html/rfc2965
>
>
>
>
>
>>
>>
>> Thanks,
>> V.
>>
>> On Fri, Jan 15, 2010 at 3:47 PM, Sergey Beryozkin <[email protected]
>> >wrote:
>>
>> Hi,
>>>
>>> do you have multiple Cookie headers or a single Cookie containing
>>> multiple
>>> values :
>>>
>>> Cookie: a=b,c=d
>>>
>>> I can see a test confirming HttpHeaders.getCookies() returns a map
>>> containing two entries.
>>> Can you post a sample Cookie value I can add a test for ?
>>>
>>> thanks, Sergey
>>>
>>>
>>> The problem parsing multiple the header when having multiple cookies
>>> seems
>>>
>>>> to be present also when injecting the HttpHeaders headers.
>>>> headers.getCookies() returns only one cookie.
>>>>
>>>> Is there any Jira issue tracking this?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> V.
>>>>
>>>> On Thu, Jan 14, 2010 at 5:35 PM, Michael Guyver <
>>>> [email protected]
>>>> >wrote:
>>>>
>>>> 2010/1/14 Sergey Beryozkin <[email protected]>:
>>>>
>>>>> > Hi
>>>>> >
>>>>> > One can write either a CXF interceptor or CXF JAXRS RequestHandler
>>>>> filter,
>>>>> > please see
>>>>> >
>>>>>
>>>>>
>>>>> http://cxf.apache.org/docs/jax-rs.html#JAX-RS-DifferencebetweenJAXRSfiltersandCXFinterceptors
>>>>> >
>>>>> > If you do JAX-RS only then writing a filter could be a simpler
>>>>> option,
>>>>> for
>>>>> > ex, one can have JAXRS HttpHeaders injected into a custom filter :
>>>>> >
>>>>> > @Context
>>>>> > private HttpHeaders headers;
>>>>> >
>>>>> > and then just do header.getCookies() in handleRequest();
>>>>> >
>>>>> > Alternatively, if you prefer to write a CXF interceptor then you can
>>>>> get
>>>>> to
>>>>> > the cookies like this :
>>>>> >
>>>>> > String rawValue = new MetadataMap<String, String>(
>>>>> >
>>>>> > (Map<String,
>>>>> >
>>>>>
>>>>> List<String>>)message.get(Message.PROTOCOL_HEADERS)).getFirst("Cookie");
>>>>> >
>>>>> > Cookie c = Cookie.valueOf(rawValue);
>>>>> >
>>>>> > Note that the CXF HTTP transport does not split multiple header
>>>>> values
>>>>> > (those separated by ',') so if the Cookie header contains multiple
>>>>> cookies
>>>>> > then you'd need to split thme first before doing
>>>>> Cookie.valueOf(rawValue);
>>>>> >
>>>>> > hope it helps, Sergey
>>>>> >
>>>>>
>>>>> Hi Sergey,
>>>>>
>>>>> That's great, thanks very much for your help!
>>>>>
>>>>> Cheers
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>>
>>>>
>>
>
