Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: HTTP protocol
Submitted By: Jerry Dobner (jdobner)
Assigned to: Greg Wilkins (gregwilkins)
Summary: RFC 2109 violation?
RFC 2109 states that
"User agents should send Cookie request headers,
subject to other rules detailed below, with every request."
However HttpRequest is created only once for
HttpConnection, and then read multiple times
(readRequest()). If only the first request on this
connection comes with a cookie, the _request instance
field of the connection will keep its _cookies field
while the connection lasts if further requests do not
bring any cookies at all.
While hardly a serious cause for security concerns,
this leads to some confusing results at development time.
Jetty does make the assumption that cookies will be the same
in each request from a connection. BUT importantly it
checks that assumption. The cookiesExtracted boolean is set
to false by recycle request, so that when getCookies is next
cookie array is check for matching cookies. If they match,
the old cookies are used (saving parsing, object creation
if they do not match, then new cookies are parsed.