search

alibaba / tengine

A distribution of Nginx with some advanced features
https://tengine.taobao.org
BSD 2-Clause "Simplified" License
12.81k stars 2.52k forks source link

session_sticky_hide_cookie action violate rfc6265 #1597

Open sss1998 opened 2 years ago

sss1998 commented 2 years ago

Ⅰ. Issue Description

tengine version: Tengine/2.3.3

Ⅱ. Describe what happened

I configured session_sticky and session_sticky_hide_cookie , and send a request. The cookie header in the request sended to upstream may be Cookie: or Cookie: aaa;

Ⅲ. Describe what you expected to happen

According to RFC6265, cookie-header = "Cookie:" OWS cookie-string OWS cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-pair = cookie-name "=" cookie-value So, the cookie header couldnot ended with";" neither just be empty.

Ⅳ. How to reproduce it (as minimally and precisely as possible)

  1. configure a single server ,like server { listen 2122 reuseport; listen [::]:2122 reuseport; servername ;

    location / { session_sticky_hide_cookie "upstream=test"; proxy_pass "http://test"; }

}

upstream "test" { session_sticky cookie=test option=indirect maxage=3600; keepalive 256; keepalive_timeout 60; server 1.1.1.1:80; }

  1. send a request
  2. see what upstream server get

Ⅴ. Anything else we need to know?

  1. If applicable, add nginx debug log doc.

Ⅵ. Environment:

sss1998 commented 2 years ago

Besides, if i use session_sticky with indirect mode and donot configure session_sticky_hide_cookie. It seems that the session_sticky function cannot work: tengine's response to client wont add set-cookie header.