hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomáš Zilvar (JIRA) <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1451) HttpClient does not store response cookies on a 401
Date Mon, 08 Feb 2016 17:28:40 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15137287#comment-15137287

Tomáš Zilvar commented on HTTPCLIENT-1451:

[~olegk] it seems to me that stating the behavior proposed by the reporter would be _non-standard_
is at least debatable, if not simply not true. While we can agree that the client MAY ignore
the {{Set-Cookie}} header entirely, there is no reason that it should do so under these circumstances.
There is no requirement to repeat the request with no changes whatsoever (other than adding
Authorization header).

In fact the situation regarding standards in this case is quite the opposite I would say,
because when you do not run the whole chain again, you are not just discarding cookies from
the 401 response, but you are also in danger of sending expired cookies in the subsequent
request (the whole charade could take quite some time) when you just blindly send the same
one again appending an Authorization header, thus breaking RFC 6265 requirement:

A cookie is "expired" if the cookie has an expiry date in the past.

The user agent MUST evict all expired cookies from the cookie store
if, at any time, an expired cookie exists in the cookie store.

Last, but not least, this behavior was introduced in HttpClient 4, as opposed to HttpClient
3 which did respect a {{Set-Cookie}} header in the 401 authentication challenge.

> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>                 Key: HTTPCLIENT-1451
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.3.2
>            Reporter: Richard Sand
>            Priority: Minor
>             Fix For: 5.0
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC authentication.
The server responds to the initial request with a 401 response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until after it has
completed the subsequent request with the Authorize header, but the server rejects the authentication
if the cookie is missing. 
> To work around this I had to disable the authentication capability in the HttpClientContext
and manually check for the 401 response code, and then send a followup request with a manually
set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup request with
credentials in response to a 401, the client should place the cookies from the original response
into the cookie store immediately, rather than waiting for after the response to the credentials
(the 2nd response).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message