Hi
We use something like this:
response.addHeader("Set-Cookie",
"[email protected]|1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
path=/; httpOnly");
called different times with different names (and also a secure only cookie)
since we also need the httpOnly flag to be set thus it's not possible to use
the normal javax. sevlet.http.Cookie class.
But this is a Set-Cookie header, not a Cookie header ? by the way, there is a JAX-RS NewCookie utility class that might be used
instead...Actually, I see, you're probably using HttpServletResponse directly...
Tampering the request we see that the header value is :
[email protected]|1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
path=/; httpOnly
user_logged_in=true; path=/
[email protected]|1263863681|+jZzblDmjCo1wWFZOdxRaQ==|3r1WMPuUk2ghrvl+3RmcIPLjueD8fjBYPnbBN/s+3j0=;
path=/; httpOnly; Secure
where the carriage return seems to be used aas separator.
AFAIK it is something (the carriage return) that is kind of an internal/on-the-wire detail only and it is used for the readability
purposes, when the header value is too long. According to [2], the older state management rfc, "the Set-Cookie response header
comprises the token Set-Cookie:, followed by a *comma-separated* list of one or more cookies."
To get the values I used this code:
I see...After your server replies with Set-Cookie, the code below is used to
retrieve the original cookies sent back by a client...
String cookieHeaderString =
new org.apache.cxf.jaxrs.impl.MetadataMap<String,
String>(
(Map<String, List<String>>) m
.get(Message.PROTOCOL_HEADERS))
.getFirst("Cookie");
// XXX: In some systems instead of Cookie, cookie must be used.
if (cookieHeaderString == null) {
cookieHeaderString =
new org.apache.cxf.jaxrs.impl.MetadataMap<String,
String>(
(Map<String, List<String>>) m
.get(Message.PROTOCOL_HEADERS))
.getFirst("cookie");
}
the double call is because in linux+jboss+firefox instead of 'Cookie',
'cookie' is used.
Note that HttpHeaders is using a case-insensitive MetadataMap as required by JAX-RS, you can do the same by doing new
org.apache.cxf.jaxrs.impl.MetadataMap(map, true, true);
changing the ; to ' when settinh the header value doesn't change the
behaviour.
I meant that the Cookie header string should contain a ',' as a separator between multiple values. Given that HttpServletResponse
does not add a ',' between different Set-Cookie values when you do multiple SetCookie on it, no ',' is present in the client request
either. Can you confirm once again please no ',' is available in a Cookie value ? [1] also says :
the call to:
Map<String, Cookie> cookies = headers.getCookies();
alwasy returns only a cookie (the user_logged_in one).
Can you please do the following :
for (String value : message.get(Message.PROTOCOL_HEADERS).get("Cookie")) {
System.out.println(value);
}
will you get a single value containing something like
"[email protected]|1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;
user_logged_in=true"
or two values, one is
"[email protected]|1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;"
and the other one is :
"user_logged_in=true"
?
That is, I'd like to check if the underlying container sees the Cookie headers
containing a single value or two values.
perhaps, rather than doing multiple response.addHeader("SetCookie", value), you can instead build a SetCookie string containing of
multiple values separated by ',' and then do response.addHeader("SetCookie", value) just once ?
The problem is that I do not see neither in Http 1.1 [2] or [1] that a 'next line' can be used as a separator between multiple
Cookie values. Perhaps the multi-line string should be just folded back, due to the fact a CRLF or LWS [2] have been used to
separate multiple words ?
I guess what I can try to do is to let users to explcitly configure a jaxrs:server endpoint with a property like
"org.apache.cxf.http.cookie.separator=crlf" ? First though, let me know if you can update the server code as suggested above, for
',' being used as a separator
thanks, Sergey
Cheers,
V.
[1] http://tools.ietf.org/html/rfc2109
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
