[undertow-dev] comma separators in cookie headers

Brian R Wallis Brian.Wallis at infomedix.com.au
Fri Aug 3 05:17:31 EDT 2018 

Are commas allowed as a separator of multiple cookies in a cookie header?

I am running an application in wildfly-11.0.0.Final and another application is making a request with two cookies, JSESSIONID and JSESSIONIDSSO. It is sending these as 

JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost

which then seems to be parsed into a single cookie

JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID

which of course does not work for the authentication so the request fails. This seems to be a failure in parsing the original cookie string. There is a bit of confusion in this area in the RFCs as the earlier ones allowed comma as a separator but the most recent, RFC-6265, does not. Undertow should probably allow a comma separator for backward compatibility with older implementations.

Thanks
brian wallis…


The full dump from the undertow request dumper is 


18:33:29,249 INFO  [io.undertow.request.dump] (Unknown) 
----------------------------REQUEST---------------------------
               URI=/infoapi/user/profile
 characterEncoding=null
     contentLength=-1
       contentType=[none]
            cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID
            header=Connection=Keep-Alive
            header=Orbeon-Token=5b4085e06896f374e8dec7a22f9e411a2b0d2105
            header=Accept-Encoding=gzip,deflate
            header=Content-Type=none
            header=Cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost
            header=Cookie2=$Version=1
            header=Host=localhost
            locale=[]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=/127.0.0.1:55984
        remoteHost=localhost
            scheme=http
              host=localhost
        serverPort=80
--------------------------RESPONSE--------------------------
     contentLength=71
       contentType=text/html;charset=UTF-8
            cookie=JSESSIONIDSSO=null; domain=null; path=/
            header=Expires=0
            header=Cache-Control=no-cache, no-store, must-revalidate
            header=X-Powered-By=Undertow/1
            header=Set-Cookie=JSESSIONIDSSO=""; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
            header=Server=WildFly/11
            header=Pragma=no-cache
            header=Date=Fri, 03 Aug 2018 08:33:29 GMT
            header=WWW-Authenticate=Basic realm="REST API authentication module"
            header=Content-Type=text/html;charset=UTF-8
            header=Content-Length=71
            status=401

More information about the undertow-dev mailing list