cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: Access to HTTP cookie values in Interceptor or Invoker implementation?
Date Mon, 18 Jan 2010 14:58:25 GMT

> We use something like this:
> response.addHeader("Set-Cookie",
> "|1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
> path=/; httpOnly");
> called different times with different names (and also a secure only cookie)
> since we also need the httpOnly flag to be set thus it's not possible to use
> the normal javax. sevlet.http.Cookie class.

But this is a Set-Cookie header, not a Cookie header ? by the way, there is a JAX-RS NewCookie
utility class that might be used 
instead...Actually, I see, you're probably using HttpServletResponse directly...

> Tampering the request we see that the header value is :
> path=/; httpOnly
> user_logged_in=true; path=/
> path=/; httpOnly; Secure
> where the carriage return seems to be used aas separator.

AFAIK it is something (the carriage return) that is kind of an internal/on-the-wire detail
only and it is used for the readability 
purposes, when the header value is too long. According to [2], the older state management
rfc, "the Set-Cookie response header 
comprises the token Set-Cookie:, followed by a *comma-separated* list of one or more cookies."

> To get the values I used this code:
I see...After your server replies with Set-Cookie, the code below is used to retrieve the
original cookies sent back by a client...

>              String cookieHeaderString =
>                    new org.apache.cxf.jaxrs.impl.MetadataMap<String,
> String>(
>                            (Map<String, List<String>>) m
>                                    .get(Message.PROTOCOL_HEADERS))
>                            .getFirst("Cookie");
>            // XXX: In some systems instead of Cookie, cookie must be used.
>            if (cookieHeaderString == null) {
>                cookieHeaderString =
>                        new org.apache.cxf.jaxrs.impl.MetadataMap<String,
> String>(
>                                (Map<String, List<String>>) m
>                                        .get(Message.PROTOCOL_HEADERS))
>                                .getFirst("cookie");
>            }
> the double call is because in linux+jboss+firefox instead of 'Cookie',
> 'cookie' is used.

Note that HttpHeaders is using a case-insensitive MetadataMap as required by JAX-RS, you can
do the same by doing new 
org.apache.cxf.jaxrs.impl.MetadataMap(map, true, true);

> changing the ; to ' when settinh the header value doesn't change the
> behaviour.

I meant that the Cookie header string should contain a ',' as a separator between multiple
values. Given that HttpServletResponse 
does not add a ',' between different Set-Cookie values when you do multiple SetCookie on it,
no ',' is present in the client request 
either. Can you confirm once again please no ',' is available in a Cookie value ? [1] also
says :

> the call to:
> Map<String, Cookie> cookies = headers.getCookies();
> alwasy returns only a cookie (the user_logged_in one).

Can you please do the following :

for (String value : message.get(Message.PROTOCOL_HEADERS).get("Cookie")) {



will you get a single value containing something like

or two values, one is


and the other one is :



That is, I'd like to check if the underlying container sees the Cookie headers containing
a single value or two values.

perhaps, rather than doing multiple response.addHeader("SetCookie", value), you can instead
build a SetCookie string containing of 
multiple values separated by ',' and then do response.addHeader("SetCookie", value) just once

The problem is that I do not see neither in Http 1.1 [2] or [1] that a 'next line' can be
used as a separator between multiple 
Cookie values. Perhaps the multi-line string should be just folded back, due to the fact a
CRLF or LWS [2] have been used to 
separate multiple words ?

I guess what I can try to do is to let users to explcitly configure a jaxrs:server endpoint
with a property like 
"org.apache.cxf.http.cookie.separator=crlf" ? First though, let me know if you can update
the server code as suggested above, for 
',' being used as a separator

thanks, Sergey

> Cheers,
> V.


View raw message