Salesforce Set-Cookie ignored with Jetty client

[martin-frydl]

CometD version(s)

8.0-beta1

Java version & vendor (use: java -version)

openjdk version "17.0.9" 2023-10-17
OpenJDK Runtime Environment (build 17.0.9+9-Ubuntu-122.04)
OpenJDK 64-Bit Server VM (build 17.0.9+9-Ubuntu-122.04, mixed mode, sharing)

Description

This is mainly Salesforce error so you will probably reject it but anyway... Salesforce sends Set-Cookie headers with "expires" in wrong format - expires=Thu, 02-Jan-2025 14:21:47 GMT. According to RFC 2616, it should be either Thu, 02 Jan 2025... or Thursday, 02-Jan-25 - either short weekday and spaces, or long weekday, hyphens and short year. When used with Jetty client, value is parsed using SetCookieParser.newInstance() -> RFC6265SetCookieParser which will fail as it does not follow the specification. Note that there is also problem with splitting value by comma - issue #1599.

How to reproduce?

Not sure, I'm using cometd to connect to Salesforce to read notifications.

Workaround

The problem can be "fixed" by overriding storeCookies() method in JettyHttpClientTransport:

JettyHttpClientTransport httpTransport = new JettyHttpClientTransport(options, httpClient.getHttpClient()) {
    @Override
    protected void storeCookies(URI uri, Map<String, List<String>> headers) {
        ... "fix" the values and create newMap - simple regexp search & replace
        super.storeCookies(uri, newMap);
    }
};
client = new BayeuxClient(url, httpTransport);

[sbordet]

Have you tried to report this to SalesForce? They should really not send A) the deprecated Expires attribute (Max-Age should be used instead), and B) the wrong date format.

We could be more lenient, but I don't want to pay the cost of extra processing for an invalid format that the server should not send.