You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2013/09/30 05:13:24 UTC

[jira] [Commented] (AXIS2-5608) Axis2 ignores cookie values other than JSESSIONID/axis_session from http response headers

    [ https://issues.apache.org/jira/browse/AXIS2-5608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13781588#comment-13781588 ] 

Hudson commented on AXIS2-5608:
-------------------------------

SUCCESS: Integrated in Axis2 #2491 (See [https://builds.apache.org/job/Axis2/2491/])
fixing AXIS2-5608 by removing the specific check for JSESSIONID/axis_session and adding whatever the value(s) in the Set-Cookie header as session cookie (kishanthan: rev 1527429)
* /axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/impl/httpclient3/HTTPSenderImpl.java
* /axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/impl/httpclient4/HTTPSenderImpl.java


> Axis2 ignores cookie values other than JSESSIONID/axis_session from http response headers
> -----------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5608
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5608
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Kishanthan Thangarajah
>            Assignee: Kishanthan Thangarajah
>             Fix For: 1.7.0
>
>
> Currently in HTTPSenderImpl#obtainHTTPHeaderInformation, the Session Cookie string is constructed by checking only JSEESIONID/axis_session from response headers and then adding them as cookie string. It ignores other values which are coming with Set-Cookie from response headers. This will cause issues with session stickiness, if a client application tries to call some services via a load-balancer, where the load-balancer has its own way of handling session stickiness with its own cookie header.
> For example, if the requests are going through an Amazon ELB, it expect a cookie named as "AWSELB" to identify the correct node. But this will fail, if the client did not send the that cookie with the request, as axis2 client only sends the JSESSIONID.
> As a fix, we can remove the check for specific values (eg : JSESSIONID), and set whatever the Set-Cookie values coming with response headers as the Cookie string value. This will not break any existing apps because, it does not remove any values rather it adds those missing values.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org