Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http协议set-cookie header格式不符合mdn文档要求 #2575

Closed
pirDOL opened this issue Mar 18, 2024 · 6 comments · Fixed by #2577
Closed

http协议set-cookie header格式不符合mdn文档要求 #2575

pirDOL opened this issue Mar 18, 2024 · 6 comments · Fixed by #2577

Comments

@pirDOL
Copy link

pirDOL commented Mar 18, 2024

Describe the bug (描述bug)

Set-Cookie - HTTP | MDN

To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

To Reproduce (复现方法)
使用example/http_c++,server调用多次set-cookie,client只能收到一个set-cookie

Expected behavior (期望行为)
对于set-cookie字段应同时满足http和mdn文档规范要求,否则brpc的http-server会存在功能缺陷

Versions (各种版本)
OS:
Compiler:
brpc:
protobuf:

Additional context/screenshots (更多上下文/截图)
@chenBright
Copy link
Contributor

chenBright commented Mar 18, 2024
edited

多次通过调用SetHeader("Set-Cookie", "xxx")来设置cookie吗?

@pirDOL
Copy link
Author

pirDOL commented Mar 18, 2024
edited

@chenBright 根据HttpHeader接口来看,只有SetHeader和AppendHeader,两个接口都不能构造出http server返回响应报文中有多个set-cookie的场景,可以使用如下代码构造复现场景。
使用brpc channel访问这个server获取响应后,通过controller.http_response获取set-cookie的值是a=b;,c=d;,这个不是一个合法的set-cookie格式

#!/noah/bin/python
import socket

def handle_request(client_socket):
    request = client_socket.recv(1024)
    response = 'HTTP/1.1 200 OK\r\n'
    response += 'Set-Cookie: a=b;\r\n'
    response += 'Set-Cookie: c=d;\r\n'
    response += 'Content-Type: text/plain\r\n'
    response += 'Content-Length: 4\r\n'
    response += '\r\n'
    response += 'echo'

    client_socket.sendall(response.encode())
    client_socket.close()

def start_server(port):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server_socket.bind(('0.0.0.0', port))
    server_socket.listen(5)
    print('Server is listening on port {port}...')

    while True:
        client_socket, client_address = server_socket.accept()
        print('Accepted connection from {client_address}')
        handle_request(client_socket)

if __name__ == '__main__':
    PORT = 1024
    start_server(PORT)

@chenBright
Copy link
Contributor

RFC-7230 Field Order
In practice, the "Set-Cookie" header field ([RFC6265]) often
appears multiple times in a response message and does not use the
list syntax, violating the above requirements on multiple header
fields with the same name. Since it cannot be combined into a
single field-value, recipients ought to handle "Set-Cookie" as a
special case while processing header fields. (See Appendix A.2.3
of [Kri2001] for details.)

RFC-6265 Overview
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.
The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might
change the semantics of the Set-Cookie header field because the %x2C (",") character is
used by Set-Cookie in a way that conflicts with such folding.

根据HTTP标准定义,不能将多个Set-Cookie合并到一个header。bRPC的处理方式有问题,需要针对Set-Cookie进行特殊处理。

另外,多个Cookie之间不能使用,分隔,应该要用;分隔。

@pirDOL
Copy link
Author

pirDOL commented Mar 19, 2024
edited

@chenBright

;Attributes分隔符,因此如果bRPC中需要特殊处理应使用其他符号

另外,多个Cookie之间不能使用,分隔,应该要用;分隔。

@chenBright
Copy link
Contributor

@chenBright

;Attributes分隔符,因此如果bRPC中需要特殊处理应使用其他符号

另外,多个Cookie之间不能使用,分隔,应该要用;分隔。

嗯嗯,我指的是cookie这个header。

set-cookie这个header的话,HttpHeader不将其合并,每个set-cookie独立一项。

@chenBright chenBright mentioned this issue Mar 19, 2024
Merged
@chenBright
Copy link
Contributor

@pirDOL 试试 #2577 能不能解决问题

@Huixxi Huixxi closed this as completed May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix invalid headers of multiple cookie and set-cookie chenBright/brpc
3 participants
@pirDOL @chenBright @Huixxi