<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Thanks for that. I did do a search but didn’t manage to find that ticket, better polish up my search skills :-)
<div class=""><br class="">
</div>
<div class="">brian…</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 3 Aug 2018, at 8:14 PM, Masafumi Miura <<a href="mailto:mmiura@redhat.com" class="">mmiura@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">Hi,<br class="">
<br class="">
This was already reported at <a href="https://issues.jboss.org/browse/UNDERTOW-1163" class="">
https://issues.jboss.org/browse/UNDERTOW-1163</a><br class="">
<br class="">
If you upgrade to WildFly 12 or later, you can allow a comma as cookie separator by setting the system property "io.undertow.legacy.cookie.COMMA_IS_SEPARATOR" to true:
<div class=""><br class="">
./bin/standalone.sh ... -Dio.undertow.legacy.cookie.COMMA_IS_SEPARATOR=true<br class="">
<br class="">
Thanks,<br class="">
--<br class="">
Masafumi Miura / 三浦 雅史<br class="">
<br class="">
On Fri, Aug 3, 2018 at 6:17 PM, Brian R Wallis <<a href="mailto:Brian.Wallis@infomedix.com.au" class="">Brian.Wallis@infomedix.com.au</a>> wrote:<br class="">
> Are commas allowed as a separator of multiple cookies in a cookie header?<br class="">
><br class="">
> I am running an application in wildfly-11.0.0.Final and another application is making a request with two cookies, JSESSIONID and JSESSIONIDSSO. It is sending these as<br class="">
><br class="">
> JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost<br class="">
><br class="">
> which then seems to be parsed into a single cookie<br class="">
><br class="">
> JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID<br class="">
><br class="">
> which of course does not work for the authentication so the request fails. This seems to be a failure in parsing the original cookie string. There is a bit of confusion in this area in the RFCs as the earlier ones allowed comma as a separator but the most
recent, RFC-6265, does not. Undertow should probably allow a comma separator for backward compatibility with older implementations.<br class="">
><br class="">
> Thanks<br class="">
> brian wallis…<br class="">
><br class="">
><br class="">
> The full dump from the undertow request dumper is<br class="">
><br class="">
><br class="">
> 18:33:29,249 INFO [io.undertow.request.dump] (Unknown)<br class="">
> ----------------------------REQUEST---------------------------<br class="">
> URI=/infoapi/user/profile<br class="">
> characterEncoding=null<br class="">
> contentLength=-1<br class="">
> contentType=[none]<br class="">
> cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID<br class="">
> header=Connection=Keep-Alive<br class="">
> header=Orbeon-Token=5b4085e06896f374e8dec7a22f9e411a2b0d2105<br class="">
> header=Accept-Encoding=gzip,deflate<br class="">
> header=Content-Type=none<br class="">
> header=Cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost<br class="">
> header=Cookie2=$Version=1<br class="">
> header=Host=localhost<br class="">
> locale=[]<br class="">
> method=GET<br class="">
> protocol=HTTP/1.1<br class="">
> queryString=<br class="">
> remoteAddr=/<a href="http://127.0.0.1:55984/" class="">127.0.0.1:55984</a><br class="">
> remoteHost=localhost<br class="">
> scheme=http<br class="">
> host=localhost<br class="">
> serverPort=80<br class="">
> --------------------------RESPONSE--------------------------<br class="">
> contentLength=71<br class="">
> contentType=text/html;charset=UTF-8<br class="">
> cookie=JSESSIONIDSSO=null; domain=null; path=/<br class="">
> header=Expires=0<br class="">
> header=Cache-Control=no-cache, no-store, must-revalidate<br class="">
> header=X-Powered-By=Undertow/1<br class="">
> header=Set-Cookie=JSESSIONIDSSO=""; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT<br class="">
> header=Server=WildFly/11<br class="">
> header=Pragma=no-cache<br class="">
> header=Date=Fri, 03 Aug 2018 08:33:29 GMT<br class="">
> header=WWW-Authenticate=Basic realm="REST API authentication module"<br class="">
> header=Content-Type=text/html;charset=UTF-8<br class="">
> header=Content-Length=71<br class="">
> status=401<br class="">
><br class="">
><br class="">
><br class="">
><br class="">
> _______________________________________________<br class="">
> undertow-dev mailing list<br class="">
> <a href="mailto:undertow-dev@lists.jboss.org" class="">undertow-dev@lists.jboss.org</a><br class="">
> <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" class="">https://lists.jboss.org/mailman/listinfo/undertow-dev</a></div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>