Response Header Set-Cookie value doesn't have quotation marks
joelgtsantos opened this issue · comments
I'm using TornadoCookieCodec in cms-users-admin to generate a Tornado signed cookie V2 as part of the login process for a third party application written in Python using Tornado v4.5.3 web framework. Unfortunately the Set-Cookie
response header value doesn't come inside a pair of double quotes "
as expected. As for example you can see an extract of the response headers:
Response Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
Set-Cookie: new_contest1_login=2|1:0|10:1526870692|18:new_contest1_login|100:KFZhbGVrc3B1bnhnbWFpbGNvbQpwMApWcGxhaW50ZXh0OnVaZDNkajAkY3BldXcxMnBxegpwMQpGMTUyNjg3MDYzNQp0cDIKLg==|635a78b087c10e3351ed93577d4f9cec7d7bf043a6e98eb68ffabecc4269968a; Domain=192.168.187.134;
Context
This is important to me, otherwise, the third party application won't recognize the Set-Cookie
header denying the access to any of its resources.
Possible Implementation
What if the TornadoCookieCodec writes the cookie value within quotation marks whether it's required?
Environment
- Library version used: 0.3.1
- JRE version used: 1.8.x
- Framework used: Spring boot App - 1.5.2.RELEASE
- Project: https://github.com/joelgtsantos/cms-users-admin
Hi @joelgtsantos, thanks for your feedback. I did a quick search in your project's master branch and it seems your application is sending the generated cookie as part of the response headers using org.apache.catalina.core.ApplicationHttpResponse#addCookie()
here, letting the Servlet container (Tomcat) add the double quotes "
where needed, following the RFC 2109 specification. My undertanding is that tomcat uses the LegacyCookieProcessor to do it. Could you confirm if your application is using the mentioned Cookie processor? I think the other one should not work as you expected.
By the way, regarding your suggestion I have to decline since this library only ports the signature process in Tornado secure cookies; the header generation and parsing should be handled by the servlet container itself (Tomcat, Jetty, Undertow, etc).
@jossemarGT I appreciate your explanation about how the Servlet container works, indeed that helped me to find a better solution which is to change the cookie processor by the LegacyCookieProcessor in my configuration class.
@Bean
public EmbeddedServletContainerCustomizer customCookieProcessor() {
return container -> {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
}
};
}
Regards,