You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Davanum Srinivas (JIRA)" <ax...@ws.apache.org> on 2005/06/10 15:28:47 UTC

[jira] Assigned: (AXIS-2045) HTTPSender - Cookie Management

     [ http://issues.apache.org/jira/browse/AXIS-2045?page=all ]

Davanum Srinivas reassigned AXIS-2045:
--------------------------------------

    Assign To: Jayachandra Sekhara Rao Sunkara

> HTTPSender - Cookie Management
> ------------------------------
>
>          Key: AXIS-2045
>          URL: http://issues.apache.org/jira/browse/AXIS-2045
>      Project: Axis
>         Type: Bug
>   Components: Basic Architecture
>     Versions: 1.2
>  Environment: WebService running behind SiteMinder.
>     Reporter: Subbarao Ayyagari
>     Assignee: Jayachandra Sekhara Rao Sunkara

>
> The handleCookie method in HTTPSender.java has coulple of issues:
>      1. It assumes NAME=VALUE of a session cookie remains constant. To find out if a cookie already exists are not, it uses cookies.indexOf(cookie)==-1 check. 
>          While the assumption of a session cookies NAME=VALUE pair remains same is true for most of the cases, it is not true with SiteMinder. SiteMinder's SMSESSION cookie has a different value each time a request is made. With the above check, the HTTPSender ends up thinking each unique SMSESSION=NEW_VALUE as a different cookie and adds it to the subsequent requests. This throws SiteMinder off as there are now multiple SMSESSION cookies.
>          One way to fix this is to check for NAME match rather than NAME=VALUE match in the list of cookies. 
>      2. The class doesn't parse the "Set-Cookie" HEADER to see if the cookie is EXPIRED or not. Thus causing it to send even the expired cookies back to the Server on subsequent requests. We can leverage some of the cookie parsing code in Apache Commons HttpClient library that smartly checks for expiry, domain, path etc.
> Thanks

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira