Path attributes of cookies set by JAX-RS resources somehow end up quoted when the request is authenticated (through HTTP Basic Auth) but does not yet contain an LtpaToken2 cookie.
This is problematic, as that leads browsers to ignore the path that the application attempted to set (since the quoted path is invalid), which leads to the browser defaulting to the "directory" of the requested URL. This in turn can result in the cookie not working for its intended purpose.
Describe the bug
Path attributes of cookies set by JAX-RS resources somehow end up quoted when the request is authenticated (through HTTP Basic Auth) but does not yet contain an
LtpaToken2
cookie.This is problematic, as that leads browsers to ignore the path that the application attempted to set (since the quoted path is invalid), which leads to the browser defaulting to the "directory" of the requested URL. This in turn can result in the cookie not working for its intended purpose.
Steps to Reproduce
I've created a very simple application using the starter on openliberty.io. The application can be found here: https://github.com/otaconix/liberty-quoted-cookie-path-issue
./mvnw liberty:dev
curl -i http://localhost:9080/app-name/api/ -u user:password
Just in case the repo ends up disappearing, I'll reproduce the
server.xml
and JAX-RS resource's code here:Example output:
Expected behavior
The "Path" attribute of the cookie named
some-cookie
should not be quoted.Note that this issue does not occur when already logged in (replace
<cookie-value-here>
with the value from the response above):Diagnostic information:
messages.log
, so I omit that