Ernestas Gruodis Ernestas Gruodis - 1 month ago 11
HTTP Question

Set-Cookie header in Glassfish-5: folding several cookies in one header not working on Firefox (https + HTTP/2.0)

I noticed that Glassfish-5 web server sends responses with only one

Set-Cookie
header, which contains several cookies. When I looking with firebug, I can see that they are separated by unknown character. Anyway - the Firefox reads only the first cookie. How to configure Glassfish5 to send several Set-Cookie headers - one for each cookie? rfc6265 states that:



  1. Overview
    ...
    Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for
    folding HTTP headers fields (i.e., as defined in [RFC2616]) might
    change the semantics of the Set-Cookie header field because the
    %x2C (",") character is used by Set-Cookie in a way that conflicts
    with such folding.
    ...




Also here it is stated:


When sending an HTTP Response with multiple cookies, CFHTTPMessage
combines the cookies into a comma-separated list under a single
"Set-Cookie" HTTP header. (This is referred to as
"set-cookie-folding".)

Set-cookie-folding is NOT supported on Google Chrome, Firefox, and
Internet Explorer. Each of those browsers will completely ignore every
cookie after the first comma, rendering CFHTTPMessage completely
useless for handling HTTP responses with multiple cookies in any
browser other than Safari (which supports cookie-folding).


This is how the response looks on firebug:
enter image description here
Two cookies are joint by unknown character. As I noticed - other servers like Apache splits multiple cookies in one
Set-Cookie
header by new line character.

I've noticed that this happens only on HTTPS connections.

Also, I've opened an issue on Github here.

Tried the same web application to run on Tomcat 9 web server -
Set-Cookie
header cookies are separated by new line character, it's working like expected...
enter image description here

The same response, but on Glassfish5, and again - cookies are joined by unknown character, and are not accepted by Firefox (just the first one):
enter image description here

In NetBeans IDE 8.2 HTTP Server Monitor I can see, that 2 cookies are sent - it looks ok:
enter image description here

Once again on FireFox - 2 cookies in one Set-Cookie header:
enter image description here

Received only one - and the value is not correct... :
enter image description here

The same on Firefox Developer Edition:

enter image description here

Totally confused..

Glassfish 5 uses Grizzly Framework 2.4.0 - I think sources available in grizzly-http-servlet-2.4.0-sources.jar - but can not find a code piece where the cookies are joined together in one line..

I can confirm now that it is related only to HTTP/2.0 protocol, tested on firefox by enabling/disabling
network.http.spdy.enabled.http2
in
about:config
. On HTTP/1.1 via HTTPS cookies are set as expected.

Answer Source

You no longer need that custom nucleus-grizzly-all.jar. The issue has been released as part of the most recent Glassfish 5.0 nightlies and the most recent promoted build.

There were two different issues as I tracked the actual fix with a Grizzly issue and used the GlassFish issue for integration of Grizzly.