hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chirag Dewan <chirag.de...@ericsson.com>
Subject RE: Cookie spoofing issue using Commons Http Client 3.1
Date Mon, 09 Dec 2013 11:22:25 GMT
Hi Oleg,

I understand that Oleg. But it’s a legacy application which cannot be upgraded at the moment,
even though it was my first option as well.

Just in case,someone else has also faced a similar issue. It would be of great help.

One thing I forget to add which might of use, my application is acting as a proxy in here.
It accepts requests from a client and proxies it to a server thus manually getting all the
headers and setting the headers manually in the HttpClient.



-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org] 
Sent: Monday, December 09, 2013 4:36 PM
To: HttpClient User Discussion
Subject: Re: Cookie spoofing issue using Commons Http Client 3.1

On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote:
> Hi all,
> I am using Http Client 3.1 in one of my applications. I am using it for a post request.
> My request flow is like this:
> 1)      Client sends a login request.
> 2)      Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x)
> 3)      Client sends request ,with post data and same session id cookie.( Cookie: sessionid=x)
> 4)      Server responds to the request.
> 5)      Client sends another request with 2 session id Cookies,1 from the previous requests
and one other Session id Cookie.( Cookie: sessionid=x & Cookie: $Version=0; sessionid=y)
> 6)      Server unauthorize the client.
> It seems like Client is storing the session cookies,and sending 2 session cookies in
the request and the server rejects the request based on invalid session id.
> Thanks in advance.
> Chirag


HC 3.1 has been at end of life for several years now. It is neither being maintained or supported.
It is very unlikely anyone would investigate this issue. Please consider upgrading to HC 4.3


To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message