Thanks for that. I did do a search but didn’t manage to find that ticket, better polish up my search skills :-)

brian…

On 3 Aug 2018, at 8:14 PM, Masafumi Miura <mmiura@redhat.com> wrote:

Hi,

This was already reported at https://issues.jboss.org/browse/UNDERTOW-1163

If you upgrade to WildFly 12 or later, you can allow a comma as cookie separator by setting the system property "io.undertow.legacy.cookie.COMMA_IS_SEPARATOR" to true:

    ./bin/standalone.sh ...  -Dio.undertow.legacy.cookie.COMMA_IS_SEPARATOR=true

Thanks,
--
Masafumi Miura / 三浦 雅史

On Fri, Aug 3, 2018 at 6:17 PM, Brian R Wallis <Brian.Wallis@infomedix.com.au> wrote:
> Are commas allowed as a separator of multiple cookies in a cookie header?
>
> I am running an application in wildfly-11.0.0.Final and another application is making a request with two cookies, JSESSIONID and JSESSIONIDSSO. It is sending these as
>
> JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost
>
> which then seems to be parsed into a single cookie
>
> JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID
>
> which of course does not work for the authentication so the request fails. This seems to be a failure in parsing the original cookie string. There is a bit of confusion in this area in the RFCs as the earlier ones allowed comma as a separator but the most recent, RFC-6265, does not. Undertow should probably allow a comma separator for backward compatibility with older implementations.
>
> Thanks
> brian wallis…
>
>
> The full dump from the undertow request dumper is
>
>
> 18:33:29,249 INFO  [io.undertow.request.dump] (Unknown)
> ----------------------------REQUEST---------------------------
>                URI=/infoapi/user/profile
>  characterEncoding=null
>      contentLength=-1
>        contentType=[none]
>             cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID
>             header=Connection=Keep-Alive
>             header=Orbeon-Token=5b4085e06896f374e8dec7a22f9e411a2b0d2105
>             header=Accept-Encoding=gzip,deflate
>             header=Content-Type=none
>             header=Cookie=JSESSIONIDSSO=jIEqQ-kTedwXrvqm9CBACBg8QlCXzJKILwCftnaV, JSESSIONID=lDA5h47Pk_jrnIwAshNsQ7Ot269XyVSTR1mwYNEL.localhost
>             header=Cookie2=$Version=1
>             header=Host=localhost
>             locale=[]
>             method=GET
>           protocol=HTTP/1.1
>        queryString=
>         remoteAddr=/127.0.0.1:55984
>         remoteHost=localhost
>             scheme=http
>               host=localhost
>         serverPort=80
> --------------------------RESPONSE--------------------------
>      contentLength=71
>        contentType=text/html;charset=UTF-8
>             cookie=JSESSIONIDSSO=null; domain=null; path=/
>             header=Expires=0
>             header=Cache-Control=no-cache, no-store, must-revalidate
>             header=X-Powered-By=Undertow/1
>             header=Set-Cookie=JSESSIONIDSSO=""; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
>             header=Server=WildFly/11
>             header=Pragma=no-cache
>             header=Date=Fri, 03 Aug 2018 08:33:29 GMT
>             header=WWW-Authenticate=Basic realm="REST API authentication module"
>             header=Content-Type=text/html;charset=UTF-8
>             header=Content-Length=71
>             status=401
>
>
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev