JDK-8036017 : Set-Cookie response header is read as empty after setting CookieManager
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 7u51
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2014-02-28
  • Updated: 2014-06-11
  • Resolved: 2014-06-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7-poolResolved
Related Reports
Relates :  
JDK-7095980 - Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies
Description
1) Create a URL to a simple JSP (say HelloWorld.jsp) deployed in Web Server 
that maintains session (say TomCat). 
2) Create a CookieManager which accepts all cookies as given below: 

      CookieManager manager = new CookieManager (); 
      manager.setCookiePolicy(CookiePolicy.ACCEPT_ALL); 
      CookieHandler.setDefault(manager); 

3) ReadResponse 
   - Open connection and read response headers and body from the 
URLConnection. 
   - Write the response headers/body to the console. 
   - We find that Set-Cookie header has empty value. 

4) Repeat step #3 

Note: Please find MyCookieTest.java (attached) executing the above steps. 

Observation 
=========== 
From the response of step #3, we find that Set-cookie header has an empty 
value. However, from the contents of the CookieStore we find that the 
JSESSIONID cookie is stored (as expected). 

From the response of step #4, we find that Set-cookie header is absent and 
the session is maintained ( as expected). 

Test Files 
========== 
Please find the test case MyCookieTest.java and HelloWorld.jsp attached.
Comments
see JDK-7095980 for details.
11-06-2014
It is an expected behaviour by design. In HttpURLConnection.java [*] there is a code that filters out the values from Set-Cookie and Set-Cookie2 header fields: /** * Returns a filtered version of the given headers value. * * Note: The implementation currently only filters out HttpOnly cookies * from Set-Cookie and Set-Cookie2 headers. */ It filters values only when CookieManager is set up, // Filtering only if there is a cookie handler. [Assumption: the // cookie handler will store/retrieve the HttpOnly cookies] To be able to see Set-Cookie values in HttpURLConnection.getHeaderFields, one should not set up a CookieManager. [*] jdk9-dev/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
10-06-2014
I've captured some traffic and here are my findings. Wrt #3, server sends non empty Set-Cookie with JSESSIONID. Wrt #4, there is no "Set-Cookie" field in response packet from server, and this does seem valid as in the previous request the client sent required cookie with JSESSIONID and no new one is expected.
01-04-2014