Hi, That worked. :)
Indeed the issue was with client adding its own cookies. Thanks a lot! Chirag -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, December 09, 2013 8:54 PM To: HttpClient User Discussion Subject: Re: Cookie spoofing issue using Commons Http Client 3.1 Hi. > One thing I forget to add which might of use, my application is acting as a > proxy in here. It accepts requests from a client and proxies it to a server > thus manually getting all the headers and setting the headers manually in the > HttpClient. (I will assume that the cookie management is already done in the (proxy) client, a browser?) Did you disable the cookie management in HttpClient? Otherwise both the (proxy) client and HttpClient will be sending its owns cookies (which seems to be the behaviour described in step #5, but it should be happening in all requests). Note that the HttpClient shouldn't automatically follow HTTP redirects as the (proxy) client will/might not see all the "Set-Cookie" headers (this would explain why the "Cookie" headers contain different values in step #5, obviously, if a redirect happened in step #4 and it contained a "Set-Cookie" header). To disable cookies in HttpClient: httpClient.getParams().setCookiePolicy(CookiePolicy.IGNORE_COOKIES); Let me know if any of the assumptions I've made is wrong. HTH. Best regards. On 9 December 2013 11:22, Chirag Dewan <[email protected]> wrote: > Hi Oleg, > > I understand that Oleg. But it’s a legacy application which cannot be > upgraded at the moment, even though it was my first option as well. > > Just in case,someone else has also faced a similar issue. It would be of > great help. > > One thing I forget to add which might of use, my application is acting as a > proxy in here. It accepts requests from a client and proxies it to a server > thus manually getting all the headers and setting the headers manually in the > HttpClient. > > Thanks. > > Chirag > > -----Original Message----- > From: Oleg Kalnichevski [mailto:[email protected]] > Sent: Monday, December 09, 2013 4:36 PM > To: HttpClient User Discussion > Subject: Re: Cookie spoofing issue using Commons Http Client 3.1 > > On Mon, 2013-12-09 at 07:01 +0000, Chirag Dewan wrote: >> Hi all, >> >> I am using Http Client 3.1 in one of my applications. I am using it for a >> post request. >> >> My request flow is like this: >> >> 1) Client sends a login request. >> >> 2) Server sends a session id in Set-Cookie(Set-Cookie: sessionid=x) >> >> 3) Client sends request ,with post data and same session id cookie.( >> Cookie: sessionid=x) >> >> 4) Server responds to the request. >> >> 5) Client sends another request with 2 session id Cookies,1 from the >> previous requests and one other Session id Cookie.( Cookie: sessionid=x & >> Cookie: $Version=0; sessionid=y) >> >> 6) Server unauthorize the client. >> >> It seems like Client is storing the session cookies,and sending 2 session >> cookies in the request and the server rejects the request based on invalid >> session id. >> >> Thanks in advance. >> >> Chirag >> > > Chirag, > > HC 3.1 has been at end of life for several years now. It is neither > being maintained or supported. It is very unlikely anyone would > investigate this issue. Please consider upgrading to HC 4.3 > > Oleg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
