Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Won't Fix
-
3.0 Final, 3.0.1, 3.1 RC1
-
None
-
Mac OSX 10.4.9
Java 1.5
Firefox 2.0.0.4
Description
If a web server sends this http header (for example, after an authentication) :
Set-Cookie: cookie-name="quoted-cookie-value-authent-ok";Path=/; secure
In the parsing of cookies, when HttpClient detects a quoted cookie, it strip the
first and the last quote '"', so it stores the value :
quoted-cookie-value-authent-ok
When you go on the next page after the authenticate page, with the policy
BROWSER_COMPATIBILITY and all others, HttpClient sends this http header :
Cookie: cookie-name=quoted-cookie-value-authent-ok
But the server expects to receive the value :
Cookie: cookie-name="quoted-cookie-value-authent-ok"
and it rejects the client because it doesn't recognize the authenticated cookie.
The server doesn't work correctly because quotation marks in cookie attributes
are optional as long as those attribute values contain no reserved characters,
but I don't have control above and if I do the same test with firefox, it stores
the cookie value with quotes '"'.
So, in the case of the policy BROWSER_COMPATIBILITY it would be better to don't
strip away quotes (like firefox).