Always send set-cookie headers for all cookies.

[roadrunner2]

Commit 6c44d445a changed things such that set-cookie headers are sent only for the number of cookies received in the request. This works if the client sends all requests in strictly sequential order, but fails if it sends requests in parallel. The following scenario illustrates this:

1. the client issues a request and receives 1 set-cookie (gsession-0).
2. the client issues 2 requests in parallel, each with this one cookie
3. the first response contains 2 set-cookie headers (gsession-0 and gsession-1)
4. the second response contains 1 set-cookie header (gsession-0). At this point the client now has 2 cookies, but "mismatched": one from each response. The next request will fail because the concatenated result of the two cookies will not be valid.

So, this change reverts the behaviour introduced in the above commit, and we now always send N set-cookie headers (where N is the configured max cookie count).

[benlucchesi]

ok, I'll check it out and get it in as soon as possible.

thanks!

Ben Lucchesi | Chief Software Architect Granicus, Inc.work: 415.357.3618 x1300 [X]http://www.granicus.com/ Follow Us! Bloghttp://blog.granicus.com/ | Twitterhttp://twitter.com/granicus | Facebookhttp://www.facebook.com/pages/Granicus/134633056573520

---

From: roadrunner2 [notifications@github.com] Sent: Saturday, September 13, 2014 1:14 AM To: benlucchesi/grails-cookie-session-v2 Subject: [grails-cookie-session-v2] Always send set-cookie headers for all cookies. (#45)

Commit 6c44d44https://github.com/benlucchesi/grails-cookie-session-v2/commit/6c44d445a5b33d843b7cff985bec0584c6cef390 changed things such that set-cookie headers are sent only for the number of cookies received in the request. This works if the client sends all requests in strictly sequential order, but fails if it sends requests in parallel. The following scenario illustrates this:

1. the client issues a request and receives 1 set-cookie (gsession-0).
2. the client issues 2 requests in parallel, each with this one cookie
3. the first response contains 2 set-cookie headers (gsession-0 and gsession-1)
4. the second response contains 1 set-cookie header (gsession-0). At this point the client now has 2 cookies, but "mismatched": one from each response. The next request will fail because the concatenated result of the two cookies will not be valid.

So, this change reverts the behaviour introduced in the above commit, and we now always send N set-cookie headers (where N is the configured max cookie count).

---

You can merge this Pull Request by running

git pull https://github.com/roadrunner2/grails-cookie-session-v2 fix-session-corruption

Or view, comment on, or merge it at:

https://github.com/benlucchesi/grails-cookie-session-v2/pull/45

Commit Summary

• Always send set-cookie headers for all cookies.

File Changes

• M src/groovy/com/granicus/grails/plugins/cookiesession/CookieSessionRepository.groovyhttps://github.com/benlucchesi/grails-cookie-session-v2/pull/45/files#diff-0 (10)

Patch Links:

• https://github.com/benlucchesi/grails-cookie-session-v2/pull/45.patch
• https://github.com/benlucchesi/grails-cookie-session-v2/pull/45.diff

— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/pull/45.