Affects Version/s: 4.3.3
Fix Version/s: None
Component/s: HttpClient (classic)
HTTP Client does not process cookies received from the server on the HTTP 401 challenge that initiates a Digest Auth procedure.
The server could be sending a cookie related to load balancing, which is crucial to ensure that the 2nd HTTP request with the challenge response (Authorization) reaches the same application/origin server that created it. Otherwise, the authentication may fail easily.
Imagine a scenario with a load balancer in front of 4 application servers with shared-nothing, i.e. no common state.
Request #1 - Challenge request:
Client sends a normal HTTP request. Load balancer routes it to node 1 and the client receives an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.
Request #2 - Final request:
The client then computes the Authorization header and sends the request again.
However, because it does not include the Cookie, the load balancer routes it to node 3, which doesn't recognise the Authorization challenge and rejects it again with an HTTP 401.
Result: The client never passes authentication.