geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sangjin Lee" <>
Subject [AysncHttpClient] cookie handling bugs
Date Wed, 13 Feb 2008 22:17:14 GMT
I found a couple of issues with how AHC handles cookies.
[1] cookies are not following redirects
When you get redirected or challenged but Set-Cookie headers were received
from the response, those cookies should now be included for the next request
for the redirect.  What I found is that AHC does not really transfer those
cookies from the response to the next request when redirect or auth
challenges occur.  This causes issues...

One could perhaps argue that perhaps cookies belong in the client itself,
and should always be applied to all requests that match the condition.
 However, I could see arguments either way (either keeping cookies on a
request basis or keeping them on the client).  Also, it would be a pretty
sizable change at this time.  I tend to think it would be OK to keep cookies
at a request level but cookies should be transferred on subsequent requests
when you're redirected or auth challenged.

[2] no validation is done when cookie headers are added to the request
Cookies contain key attributes such as domain, path, max-age, secure, etc.
 A compliant client should honor at least those attributes when we add the
Cookie header to the request.

I'll follow up with a couple of JIRA bugs on those, and also submit proposed
fixes for them.  Please let me know what you think.


View raw message