Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1788

Cookies for paths that are no prefix of the uri path are rejected (using CookieSpec Standard)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 4.5.2
    • 4.5.3, 5.0 Alpha2
    • None
    • None

    Description

      Using CookieSpec Standard if a response to a http request to http://.../abc contains a cookie for the path /def this cookie is rejected by httpclient. This is the correct behavior in case of RFC 2109 (cf. HTTPCLIENT-1043). But RFC 6265 (as far as I know) does not state that a cookie path must be a prefix of the request uri path. In 8.6 it is even mentioned as a "security problem" that 'an HTTP response to a request for http://example.com/foo/bar can set a cookie with a Path attribute of "/qux"'.

      I know that I can workaround my problem by using a custom cookie policy. I just wondered if this behavior of httpclient is correct with respect to RFC 6265.

      cf. http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201611.mbox/%3CADA7A9443C47CC4E9C065E9C84C6891D71D02963F0@ex01.ppinet.de%3E

      Attachments

        Activity

          People

            Unassigned Unassigned
            osh Ole SH
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: