[jira] [Comment Edited] (HTTPCLIENT-2361) Use of multiple "Cookie" headers leads to exception

Thu, 06 Feb 2025 04:24:59 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924519#comment-17924519
 ] 

Julian Reschke edited comment on HTTPCLIENT-2361 at 2/6/25 12:17 PM:
---------------------------------------------------------------------

[~abernal] - yes, sorry, I linked to the wrong section.

See 
<[https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.8.1]>:

??Note: Previous versions of this specification required that only one Cookie 
header field be sent in requests. This is no longer a requirement. While this 
specification requires that a single cookie-string be produced, some user 
agents may split that string across multiple cookie header fields. For 
examples, see [Section 8.2.3|https://rfc-editor.org/rfc/rfc9113#section-8.2.3] 
of [[RFC9113|https://www.rfc-editor.org/rfc/rfc9113]] and [Section 
4.2.1|https://rfc-editor.org/rfc/rfc9114#section-4.2.1] of 
[[RFC9114|https://www.rfc-editor.org/rfc/rfc9114]].??

So the MUST-level requirement is gone, because components may have good reasons 
to split the field value. A server indeed has to handle this case anyway.

[~olegk] - I'm aware that you have a different understanding of how the 
standards process in the IETF works (and what spec revision applies to what). 
Let's not have that discussion again.


was (Author: reschke):
[~abernal] - yes, sorry, I linked to the wrong section.

See 
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.8.1>:

??Note: Previous versions of this specification required that only one Cookie 
header field be sent in requests. This is no longer a requirement. While this 
specification requires that a single cookie-string be produced, some user 
agents may split that string across multiple cookie header fields. For 
examples, see [Section 8.2.3|https://rfc-editor.org/rfc/rfc9113#section-8.2.3] 
of [[RFC9113|https://www.rfc-editor.org/rfc/rfc9113]] and [Section 
4.2.1|https://rfc-editor.org/rfc/rfc9114#section-4.2.1] of 
[[RFC9114|https://www.rfc-editor.org/rfc/rfc9114]].??
So the MUST-level requirement is gone, because components may have good reasons 
to split the field value. A server indeed has to handle this case anyway.

[~olegk] - I'm aware that you have a different understanding of how the 
standards process in the IETF works (and what spec revision applies to what). 
Let's not have that discussion again.

> Use of multiple "Cookie" headers leads to exception
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-2361
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2361
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>    Affects Versions: 5.4.2
>            Reporter: shpelda
>            Priority: Trivial
>             Fix For: 5.4.3, 5.5-alpha1
>
>
> Using multiple Cookie headers leads to exception. In my case  they were set 
> by apache-cxf:4.0.1, using  
> _WebClient.getConfig(cxfClientProxy).getHttpConduit().getCookies().put()_
>  
> {code:java}
> Caused by: org.apache.hc.core5.http.ProtocolException: multiple 'Cookie' 
> headers found
>     at 
> org.apache.hc.core5.http.message.HeaderGroup.getHeader(HeaderGroup.java:267)
>     at 
> org.apache.hc.client5.http.protocol.RequestAddCookies.process(RequestAddCookies.java:94)
>     at 
> org.apache.hc.core5.http.protocol.DefaultHttpProcessor.process(DefaultHttpProcessor.java:107)
>     at 
> org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec$1.produceRequest(HttpAsyncMainClientExec.java:153)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1StreamHandler.produceOutput(ClientHttp1StreamHandler.java:186)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1StreamDuplexer.execute(ClientHttp1StreamDuplexer.java:326)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1StreamDuplexer.processCommands(AbstractHttp1StreamDuplexer.java:242)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1StreamDuplexer.onOutput(AbstractHttp1StreamDuplexer.java:389)
>     at 
> org.apache.hc.core5.http.impl.nio.AbstractHttp1IOEventHandler.outputReady(AbstractHttp1IOEventHandler.java:73)
>     at 
> org.apache.hc.core5.http.impl.nio.ClientHttp1IOEventHandler.outputReady(ClientHttp1IOEventHandler.java:41)
>     at 
> org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:153)
>     at 
> org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
>     at 
> org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
>     at 
> org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
>     at 
> org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
>     at 
> org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
>     at java.base/java.lang.Thread.run(Thread.java:833) {code}
> I think that this code should use _getHeaders(name)_ instead:
> [https://hc.apache.org/httpcomponents-client-5.4.x/5.4.1/httpclient5/xref/org/apache/hc/client5/http/protocol/RequestAddCookies.html#L94]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to