Response Header Set-Cookie value doesn't have quotation marks

Question

Response Header Set-Cookie value doesn't have quotation marks

joelgtsantos opened this issue 6 years ago · comments

I'm using TornadoCookieCodec in cms-users-admin to generate a Tornado signed cookie V2 as part of the login process for a third party application written in Python using Tornado v4.5.3 web framework. Unfortunately the Set-Cookie response header value doesn't come inside a pair of double quotes " as expected. As for example you can see an extract of the response headers:

Response Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
Set-Cookie: new_contest1_login=2|1:0|10:1526870692|18:new_contest1_login|100:KFZhbGVrc3B1bnhnbWFpbGNvbQpwMApWcGxhaW50ZXh0OnVaZDNkajAkY3BldXcxMnBxegpwMQpGMTUyNjg3MDYzNQp0cDIKLg==|635a78b087c10e3351ed93577d4f9cec7d7bf043a6e98eb68ffabecc4269968a; Domain=192.168.187.134;

Context

This is important to me, otherwise, the third party application won't recognize the Set-Cookie header denying the access to any of its resources.

Possible Implementation

What if the TornadoCookieCodec writes the cookie value within quotation marks whether it's required?

Environment

Library version used: 0.3.1
JRE version used: 1.8.x
Framework used: Spring boot App - 1.5.2.RELEASE
Project: https://github.com/joelgtsantos/cms-users-admin

Jossemar Cordero · Answer 1 · Tue May 22 2018 14:07:02 GMT+0800 (China Standard Time)

Hi @joelgtsantos, thanks for your feedback. I did a quick search in your project's master branch and it seems your application is sending the generated cookie as part of the response headers using org.apache.catalina.core.ApplicationHttpResponse#addCookie() here, letting the Servlet container (Tomcat) add the double quotes " where needed, following the RFC 2109 specification. My undertanding is that tomcat uses the LegacyCookieProcessor to do it. Could you confirm if your application is using the mentioned Cookie processor? I think the other one should not work as you expected.

By the way, regarding your suggestion I have to decline since this library only ports the signature process in Tornado secure cookies; the header generation and parsing should be handled by the servlet container itself (Tomcat, Jetty, Undertow, etc).

Joel Santos · Answer 2 · Wed May 23 2018 10:48:45 GMT+0800 (China Standard Time)

@jossemarGT I appreciate your explanation about how the Servlet container works, indeed that helped me to find a better solution which is to change the cookie processor by the LegacyCookieProcessor in my configuration class.

	@Bean
	public EmbeddedServletContainerCustomizer customCookieProcessor() {
	    return container -> {
	        if (container instanceof TomcatEmbeddedServletContainerFactory) {
	            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
	            tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
	        }
	    };
	}

Regards,