[ https://issues.apache.org/jira/browse/GERONIMO-3861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12572933#action_12572933 ]
Rick McGuire commented on GERONIMO-3861: ---------------------------------------- Thanks for handling the 2.0 Sangjin. Committed revision 631610, > cookies need to be validated and filtered > ----------------------------------------- > > Key: GERONIMO-3861 > URL: https://issues.apache.org/jira/browse/GERONIMO-3861 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: AsyncHttpClient > Affects Versions: 1.x > Reporter: Sangjin Lee > Assignee: Rick McGuire > Priority: Minor > Attachments: GERONIMO-3861-v2.patch, GERONIMO-3861.patch > > > Today AHC simply accepts all cookies from the response and emit all cookies > in the request. However, the attributes need to be taken into consideration > when we set the cookies as well as when we send them. Two parts of the issue: > [1] When we emit the cookies in the request, we need to check > - if the domain matches > - if the path matches > - if the cookie has not expired > - and if the cookie is secure (if the request protocol is http) > before adding it to the Cookie header. > [2] When we accept the cookies in the response, we need to check for the > domain and the path. Note that we do not discard expired cookies, as that's > often a way to delete an existing cookie. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.