You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Francois-Xavier Bonnet (JIRA)" <ji...@apache.org> on 2012/12/20 11:31:14 UTC

[jira] [Commented] (HTTPCLIENT-1284) Cookie matching issue with virtual hosts

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13536921#comment-13536921 ] 

Francois-Xavier Bonnet commented on HTTPCLIENT-1284:
----------------------------------------------------

I had a look at the test case, in fact you are not using virtual host in the HttpClient sense (setting parameter ClientPNames.VIRTUAL_HOST) but your target server uses virtual hosts (expects a certain host header).
So you need to send the request physically to a certain host say "http://localhost.localdomain:8080" but with a header "Host: app.mydomain.fr"

If you send a HttpRequest with URI "http://app.mydomain.fr/test" to your target server "http://localhost.localdomain:8080" HttpClient opens a connection to your server but sends a request like :
GET /test HTTP/1.1
Host: localhost.localdomain:8080

-> this is rejected by the server because of the Host header

Then you may try with setting the virtual host
httpRequest.getParams().setParameter(ClientPNames.VIRTUAL_HOST, new HttpHost("app.mydomain.fr",80, "http"));
Than HttpClient sends a request like this:
GET /test HTTP/1.1
Host: app.mydomain.fr:80

-> this is rejected by the server because of the port number in the host header

Then you can make another try with virtual host port set to -1 but the HttpClient takes the port from target host and you get this:
GET /test HTTP/1.1
Host: app.mydomain.fr:8080

-> still not good because of the port number in the host header

Then you may want to try without setting ClientPNames.VIRTUAL_HOST, instead you can set Host header manually.
httpRequest.addHeader("Host", "app.mydomain.fr");
And now you get the right request
GET /test HTTP/1.1
Host: app.mydomain.fr

-> now the request is OK but cookies with a domain set are rejected because they don't match the target host


Currently cookies domain is checked against :
1) virtual host (ClientPNames.VIRTUAL_HOST) if set
2) target server in all other cases

In fact it should always be checked against the Host header that was sent in the request which is :
1) manually set Host header
2) virtual host
3) target host
In addition as Oleg says that virtual hosts will be deprecated in HttpClient 4.3 and we will use the host in the URI instead then we have to fix HttpClient to use by default the host in the URI as the Host header in the request
 

                
> Cookie matching issue with virtual hosts
> ----------------------------------------
>
>                 Key: HTTPCLIENT-1284
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1284
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.2, 4.2.3
>            Reporter: Nicolas Richeton
>         Attachments: TestCookieVirtualHost.java
>
>
> Following HTTPCLIENT-1282, there is an issue with cookie matching : only target host is used for cookie origin, but with virtual host, this value is not the real host from the client point of view.
> As a result, cookies get discarded by httpclient even if they match the virtual host and would have been accepted by a browser.
> See the code of the following methods :
> RequestAddCookies#process()
> HttpHost targetHost = (HttpHost) context.getAttribute( ExecutionContext.HTTP_TARGET_HOST);
> ...
> String hostName = targetHost.getHostName();
> ...
> CookieOrigin cookieOrigin = new CookieOrigin( hostName, port, requestURI.getPath(), conn.isSecure());
> And
> ResponseProcessCookies#process()
> CookieOrigin cookieOrigin = (CookieOrigin) context.getAttribute(ClientContext.COOKIE_ORIGIN);
> ...
> processCookies(it, cookieSpec, cookieOrigin, cookieStore);

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org