Bug ID: JDK-8276774 Cookie stored in CookieHandler not sent if user headers contain cookie

JDK-8276774 : Cookie stored in CookieHandler not sent if user headers contain cookie

Type: Bug
Component: core-libs
Sub-Component: java.net
Affected Version: 11.0.14,11.0.14-oracle,12,17,18

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2021-11-03
Updated: 2021-12-02
Resolved: 2021-11-19

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 17	JDK 18
11.0.14-oracleFixed	17.0.2Fixed	18 b25Fixed

Related Reports

Relates :

JDK-8213189 - Make restricted headers in HTTP Client configurable and remove Date by default

Description

A DESCRIPTION OF THE PROBLEM :
An HTTP client gets a cookie back from a backend, which is stored in the CookieHandler. At the next request, the cookie is correctly added to the HttpRequest through the CookieFilter, but in case a user header "Cookie" was added to the request before, then the cookie added by the CookieFilter will be filtered out and not sent to the backend. This is typically the case with session cookies.

I think that the problem lies in the method jdk.internal.net.http.Http1Request.collectHeaders0(StringBuilder): see comment of line 111: "Filter any headers from systemHeaders that are set in userHeaders". The line 127 "collectCookie(...)" uses the filtered systemHeaders so any cookie set by the CookieFilter in the systemHeaders is filtered out in case the userHeaders contains some Cookie.

I suppose that the problem is similar with HTTP/2 as the same filter is used in jdk.internal.net.http.Stream.headerFrame(long) at line 657, but I did not test it.

REGRESSION : Last worked in version 11.0.13

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Client sends an HTTP/1.1 request to Backend
2. Backend send a response with a Set-Cookie: mycookie=1
3. The cookie mycookie is stored in the CookieHandler from Client
4. Client creates another request to Backend, adds header "Cookie: anotherone=2" and sens the request
5. CookieFilter adds the mycookie from the CookieHandler to the systemHeaders of the request

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
6. Http1Request.collectHeaders0 merges the Cookie from systemHeaders with the Cookie from userHeaders
7. Backend gets "Cookie: mycookie=1; anotherone=2"
ACTUAL -
6. Http1Request.collectHeaders0 filters out the Cookie from systemHeaders
7. Backend gets only "Cookie: anotherone=2"

CUSTOMER SUBMITTED WORKAROUND :
Manage the cookies at application level instead of using CookieHandler: this is not trivial and implies several changes in code of the applications.

FREQUENCY : always

Comments

Fix Request (11u): Should get backported for parity with 11.0.14-oracle. Applies almost cleanly. New test needs adaptation. Review: https://github.com/openjdk/jdk11u/pull/18
30-11-2021
Fix Request(17u): This fix resolves a regression introduced by https://bugs.openjdk.java.net/browse/JDK-8213189 Risk of regression: Low as this change reverts the cookie handling behaviour to its original, pre-regression implementation Patch applies cleanly to 17u.
22-11-2021
Changeset: 03debf27 Author: Daniel Fuchs <dfuchs@openjdk.org> Date: 2021-11-19 13:18:12 +0000 URL: https://git.openjdk.java.net/jdk/commit/03debf277537135974d3f55e3a5c7cf6842ee5e0
19-11-2021
The change of behavior described in this bug was caused by JDK-8213189.
08-11-2021
The observations on Windows 10: JDK 11: Passed. JDK 17ea+1: Failed, returned Cookie: [myclientcookie=2] JDK 18ea+1: Failed.
06-11-2021
The outputs of the reproducer from the submitter: Output with Java 11: ---Backend--- Server on port 7777 started ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/11.0.12] ---Backend--- Content-length: [0] ---Client--- Response Headers: ---Client--- content-length: [0] ---Client--- date: [Thu, 04 Nov 2021 15:30:06 GMT] ---Client--- set-cookie: [backendcookie=1] ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Cookie: [backendcookie=1] ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/11.0.12] ---Backend--- Content-length: [0] ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Cookie: [backendcookie=1; myclientcookie=2] ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/11.0.12] ---Backend--- Content-length: [0] ---Backend--- Server on port 7777 stopped Note that the backend gets the backendcookie in the third request as expected. Output with Java 17: ---Backend--- Server on port 7777 started ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/17.0.1] ---Backend--- Content-length: [0] ---Client--- Response Headers: ---Client--- content-length: [0] ---Client--- date: [Thu, 04 Nov 2021 15:24:21 GMT] ---Client--- set-cookie: [backendcookie=1] ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Cookie: [backendcookie=1] ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/17.0.1] ---Backend--- Content-length: [0] ---Backend--- http://localhost:7777 handling GET / ---Backend--- Request headers: ---Backend--- Cookie: [myclientcookie=2] ---Backend--- Connection: [Upgrade, HTTP2-Settings] ---Backend--- Http2-settings: [AAEAAEAAAAIAAAABAAMAAABkAAQBAAAAAAUAAEAA] ---Backend--- Host: [localhost:7777] ---Backend--- Upgrade: [h2c] ---Backend--- User-agent: [Java-http-client/17.0.1] ---Backend--- Content-length: [0] ---Backend--- Server on port 7777 stopped Note that the Backend does not get the backendcookie in the third request as expected.
06-11-2021
Requested a complete reproducer from the submitter.
04-11-2021