[jira] [Comment Edited] (HTTPCLIENT-2361) Use of multiple "Cookie" headers leads to exception

Julian Reschke (Jira) Thu, 06 Feb 2025 04:15:42 -0800


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924445#comment-17924445
 ]


Julian Reschke edited comment on HTTPCLIENT-2361 at 2/6/25 12:14 PM:
---------------------------------------------------------------------

-FWIW, see:-

-[https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-4.2.1]-
{quote}-Servers MUST be tolerant of multiple cookie headers. For example, an 
HTTP/2 [[RFC9113|https://www.rfc-editor.org/rfc/rfc9113]] or HTTP/3 
[[RFC9114|https://www.rfc-editor.org/rfc/rfc9114]] client or intermediary might 
split a cookie header to improve compression. Servers are free to determine 
what form this tolerance takes. For example, the server could process each 
cookie header individually or the server could concatenate all the cookie 
headers into one and then process that final, single, header. The server should 
be mindful of any header field limits when deciding which approach to take.-
{quote}


was (Author: reschke):
FWIW, see:

[https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-4.2.1]
{quote}Servers MUST be tolerant of multiple cookie headers. For example, an 
HTTP/2 [[RFC9113|https://www.rfc-editor.org/rfc/rfc9113]] or HTTP/3 
[[RFC9114|https://www.rfc-editor.org/rfc/rfc9114]] client or intermediary might 
split a cookie header to improve compression. Servers are free to determine 
what form this tolerance takes. For example, the server could process each 
cookie header individually or the server could concatenate all the cookie 
headers into one and then process that final, single, header. The server should 
be mindful of any header field limits when deciding which approach to take.
{quote}

> Use of multiple "Cookie" headers leads to exception
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-2361
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2361
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>    Affects Versions: 5.4.2
>            Reporter: shpelda
>            Priority: Trivial
>             Fix For: 5.4.3, 5.5-alpha1
>
>
> Using multiple Cookie headers leads to exception. In my case  they were set 
> by apache-cxf:4.0.1, using  
> _WebClient.getConfig(cxfClientProxy).getHttpConduit().getCookies().put()_
>  
> {code:java}
> Caused by: org.apache.hc.core5.http.ProtocolException: multiple 'Cookie' 
> headers found
>     at 
> org.apache.hc.core5.http.message.HeaderGroup.getHeader(HeaderGroup.java:267)
>     at 
> org.apache.hc.client5.http.protocol.RequestAddCookies.process(RequestAddCookies.java:94)
>     at 
> org.apache.hc.core5.http.protocol.DefaultHttpProcessor.process(DefaultHttpProcessor.java:107)
>     at 
> org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec$1.produceRequest(HttpAsyncMainClientExec.java:153)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1StreamHandler.produceOutput(ClientHttp1StreamHandler.java:186)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1StreamDuplexer.execute(ClientHttp1StreamDuplexer.java:326)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1StreamDuplexer.processCommands(AbstractHttp1StreamDuplexer.java:242)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1StreamDuplexer.onOutput(AbstractHttp1StreamDuplexer.java:389)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1IOEventHandler.outputReady(AbstractHttp1IOEventHandler.java:73)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1IOEventHandler.outputReady(ClientHttp1IOEventHandler.java:41)
>     at 
> org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:153)
>     at 
> org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
>     at 
> org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
>     at 
> org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
>     at 
> org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
>     at 
> org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
>     at java.base/java.lang.Thread.run(Thread.java:833) {code}
> I think that this code should use _getHeaders(name)_ instead:
> [https://hc.apache.org/httpcomponents-client-5.4.x/5.4.1/httpclient5/xref/org/apache/hc/client5/http/protocol/RequestAddCookies.html#L94]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

[jira] [Comment Edited] (HTTPCLIENT-2361) Use of multiple "Cookie" headers leads to exception

Reply via email to