Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-56346

Multiple "Set-Cookie" headers are present for GUEST-LANGUAGE-ID and COOKIE-SUPPORT cookies in the response

    Details

      Description

      1. Start portal
      2. Open a new browser session or delete browser cache/cookies
      3. Open the dev toolbar of your browser and switch to the Network tab
      4. Access the portal: http://localhost:8080

      Observe the response headers for localhost:

      Content-Encoding:gzip
      Content-Length:5662
      Content-Type:text/html;charset=UTF-8
      Date:Mon, 08 Jun 2015 14:41:26 GMT
      Liferay-Portal:Liferay Portal Community Edition 7.0.0 CE M5 (Wilberforce / Build 7000 / May 8, 2015)
      Server:Apache-Coyote/1.1
      Set-Cookie:JSESSIONID=EF630500A4B51274F4CB857E39A63FEC; Path=/; HttpOnly
      Set-Cookie:COOKIE_SUPPORT=true; Expires=Tue, 07-Jun-2016 14:41:26 GMT; Path=/; HttpOnly
      Set-Cookie:COOKIE_SUPPORT=true; Expires=Tue, 07-Jun-2016 14:41:26 GMT; Path=/; HttpOnly
      Set-Cookie:GUEST_LANGUAGE_ID=en_US; Expires=Tue, 07-Jun-2016 14:41:26 GMT; Path=/; HttpOnly
      Set-Cookie:GUEST_LANGUAGE_ID=en_US; Expires=Tue, 07-Jun-2016 14:41:26 GMT; Path=/; HttpOnly
      

      --------------
      Related parts of the "Set-Cookie" spec.

      4. Server Requirements
      "Set-Cookie - syntax & semantics":
      syntax: https://tools.ietf.org/html/rfc6265#section-4.1.1

      (...)
      Servers SHOULD NOT include more than one Set-Cookie header field in
      the same response with the same cookie-name. (See Section 5.2 for
      how user agents handle this case.)
      (...)

      semantics: https://tools.ietf.org/html/rfc6265#section-4.1.2

      (...)
      If the user agent receives a new cookie with the same cookie-name,
      domain-value, and path-value as a cookie that it has already stored,
      the existing cookie is evicted and replaced with the new cookie.
      Notice that servers can delete cookies by sending the user agent a
      new cookie with an Expires attribute with a value in the past.
      (...)

      Based on this, user agents handle such cases in a LIFO-like way.

      5. User Agent Requirements
      Set-Cookie - header: https://tools.ietf.org/html/rfc6265#section-5.2

      5.2. The Set-Cookie Header

      When a user agent receives a Set-Cookie header field in an HTTP
      response, the user agent MAY ignore the Set-Cookie header field in
      its entirety. For example, the user agent might wish to block
      responses to "third-party" requests from setting cookies (see
      Section 7.1).

      If the user agent does not ignore the Set-Cookie header field in its
      entirety, the user agent MUST parse the field-value of the Set-Cookie
      header field as a set-cookie-string (defined below).

      NOTE: The algorithm below is more permissive than the grammar in
      Section 4.1. For example, the algorithm strips leading and trailing
      whitespace from the cookie name and value (but maintains internal
      whitespace), whereas the grammar in Section 4.1 forbids whitespace in
      these positions. User agents use this algorithm so as to
      interoperate with servers that do not follow the recommendations in
      Section 4.

      (...)

        Attachments

        1. failed_jboss.jpg
          failed_jboss.jpg
          91 kB
        2. fixed_glassfish.jpg
          fixed_glassfish.jpg
          84 kB
        3. fixed.jpg
          fixed.jpg
          83 kB
        4. reproduced.jpg
          reproduced.jpg
          106 kB

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 1 week, 4 days ago

                  Packages

                  Version Package
                  6.2.4 CE GA5
                  6.2.X EE
                  7.0.0 M6