axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <>
Subject [jira] [Commented] (AXIS2-5608) Axis2 ignores cookie values other than JSESSIONID/axis_session from http response headers
Date Sun, 29 May 2016 11:16:12 GMT


Hudson commented on AXIS2-5608:

SUCCESS: Integrated in Axis2 #3537 (See [])
Revert r1527429 (AXIS2-5608).

* That code change is responsible for the regression described in AXIS2-5772.
* It has zero test coverage.
* If multiple Set-Cookie headers are present, the code concatenates their values to a single
string with ';' used as the separator. That's obviously incorrect. (veithen: rev 1745982)
* axis2/modules/transport/http-hc3/src/main/java/org/apache/axis2/transport/http/impl/httpclient3/
* axis2/modules/transport/http/src/org/apache/axis2/transport/http/impl/httpclient4/

> Axis2 ignores cookie values other than JSESSIONID/axis_session from http response headers
> -----------------------------------------------------------------------------------------
>                 Key: AXIS2-5608
>                 URL:
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Kishanthan Thangarajah
>            Assignee: Kishanthan Thangarajah
>             Fix For: 1.7.0
> Currently in HTTPSenderImpl#obtainHTTPHeaderInformation, the Session Cookie string is
constructed by checking only JSEESIONID/axis_session from response headers and then adding
them as cookie string. It ignores other values which are coming with Set-Cookie from response
headers. This will cause issues with session stickiness, if a client application tries to
call some services via a load-balancer, where the load-balancer has its own way of handling
session stickiness with its own cookie header.
> For example, if the requests are going through an Amazon ELB, it expect a cookie named
as "AWSELB" to identify the correct node. But this will fail, if the client did not send the
that cookie with the request, as axis2 client only sends the JSESSIONID.
> As a fix, we can remove the check for specific values (eg : JSESSIONID), and set whatever
the Set-Cookie values coming with response headers as the Cookie string value. This will not
break any existing apps because, it does not remove any values rather it adds those missing

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message