Spring HTTP clients do not enforce RFC 6265 (cookies in a single header) [SPR-12196] #16810
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
status: backported
An issue that has been backported to maintenance branches
type: enhancement
A general enhancement
Milestone
Cédrik LIME opened SPR-12196 and commented
RFC 6265 mandates that all cookies be placed in a single
Cookie
HTTP header:When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.
Spring HTTP Client (using SimpleHttpClient) does not follow this requirement, which can break application using multiple cookies.
In my own tests, Apache https tends to be quite lenient, whereas IIS strictly follows RFC 6265.
Affected classes are:
org.springframework.http.client. SimpleBufferingAsyncClientHttpRequest#executeInternal()
org.springframework.http.client.SimpleBufferingClientHttpRequest#executeInternal()
org.springframework.http.client. SimpleStreamingAsyncClientHttpRequest#writeHeaders()
org.springframework.http.client. SimpleStreamingClientHttpRequest#writeHeaders()
All those classes should read when copying HTTP headers to the underlying connection:
Fixing this bug in client (application) code is quite difficult, since those classes are package-private, final, and their state is private.
Hence this should really be taken care of in Spring Framework.
Affects: 3.2.11, 4.1 GA
Issue Links:
Backported to: 4.0.8, 3.2.12
The text was updated successfully, but these errors were encountered: