You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
By clicking “Sign up for GitHub”, you agree to our
terms of service
and
privacy statement
. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
A cookie has the optional attributes
Expires
and
Max-Age
. If both are set, the latter takes precedence.
In method
adaptCookies()
of class
org.springframework.http.client.reactive.HttpComponentsClientHttpResponse
each HttpComponents
Cookie
is converted to a Spring
ResponseCookie
.
Given is an HttpComponents
Cookie
which has set
Expires
only, since
adaptCookies()
just reads
Max-Age
from
Cookie
, the resulting
ResponseCookie
has lost its expiration information.
Note: I have also checked
ReactorClientHttpResponse
, and it is not affected. Netty internally converts
Expires
to
Max-Age
. Thus, its
Cookie
class supports
Max-Age
only.
HttpComponentsClientHttpResponse ignores cookie attribute "Expires"
Reactive
HttpComponentsClientHttpResponse
ignores
Expires
cookie attribute
Jul 8, 2024
Good catch.
ResponseCookie#toString()
actually includes
Expires
if
Max-Age
is set, but you're right: if
Expires
is set without
Max-Age
, then the
Expires
attribute is not included in the generated Cookie string.
So, in general, it's
org.springframework.http.ResponseCookie
as well as
ResponseCookieBuilder
that do not have support for a stand-alone
Expires
attribute.
@sbrannen
I reproduced this issue
here
.
Netty: io.netty.handler.codec.http.cookie.ClientCookieDecoder.mergeMaxAgeAndExpires() merges Max-Age and Expires into Max-Age. Netty merges these two attributes using logic defined in
RFC 6265
. Point 3 of section 5.3 in this RFC gives higher precedence to Max-Age over Expires. And org.springframework.http.client.reactive.ReactorClientHttpResponse.getCookies() only considers maxAge which is okay for this case as Max-Age and Expires is already merged internally by Netty. So, no issues in org.springframework.http.client.reactive.ReactorClientHttpResponse.
Apache: Unlike Netty, Apache is not merging max age and expires. Since org.springframework.http.client.reactive.HttpComponentsClientHttpResponse is an implementation of Apache HttpComponents HttpClient 5.x, I believe it's adaptCookies() method should process both Max-Age and Expires in ResponseCookie just like Apache.
For fix, we can add Expires attribute to ResponseCookie. And in case of org.springframework.http.client.reactive.HttpComponentsClientHttpResponse.adaptCookies(), we set expires attribute if present.
Can I go ahead and raise a PR with this?
Hi
@imvtsl
,
We discussed this within the team and decided to update the logic in
org.springframework.http.client.reactive.HttpComponentsClientHttpResponse.adaptCookies(HttpClientContext)
to set
maxAge()
in the
ResponseCookie
to the converted value of the
Expires
attribute if
Expires
is present and
Max-Age
is not present, and we would otherwise process
Max-Age
as we currently do, thereby giving precedence to
Max-Age
.
We will also need to ensure that we have
Max-Age
/
Expires
tests in place for all
org.springframework.http.client.reactive.ClientHttpResponse
implementations -- for example,
HttpComponentsClientHttpResponse
,
JettyClientHttpResponse
,
ReactorClientHttpResponse
, and
ReactorNetty2ClientHttpResponse
.
If any of those other implementations lack support for handling
Max-Age
and
Expires
as previously stated, we would need to update their processing logic as well.
If you would like to submit a PR for this, feel free to do so. Otherwise, I will get to it in the coming weeks.
Cheers,