benlucchesi / grails-cookie-session

cookie sessions for grails applications
28 stars 32 forks source link

Always send set-cookie headers for all cookies. #45

Closed roadrunner2 closed 9 years ago

roadrunner2 commented 10 years ago

Commit 6c44d445a changed things such that set-cookie headers are sent only for the number of cookies received in the request. This works if the client sends all requests in strictly sequential order, but fails if it sends requests in parallel. The following scenario illustrates this:

  1. the client issues a request and receives 1 set-cookie (gsession-0).
  2. the client issues 2 requests in parallel, each with this one cookie
  3. the first response contains 2 set-cookie headers (gsession-0 and gsession-1)
  4. the second response contains 1 set-cookie header (gsession-0). At this point the client now has 2 cookies, but "mismatched": one from each response. The next request will fail because the concatenated result of the two cookies will not be valid.

So, this change reverts the behaviour introduced in the above commit, and we now always send N set-cookie headers (where N is the configured max cookie count).

benlucchesi commented 10 years ago

ok, I'll check it out and get it in as soon as possible.

thanks!

Ben Lucchesi | Chief Software Architect Granicus, Inc.work: 415.357.3618 x1300 [X]http://www.granicus.com/ Follow Us! Bloghttp://blog.granicus.com/ | Twitterhttp://twitter.com/granicus | Facebookhttp://www.facebook.com/pages/Granicus/134633056573520


From: roadrunner2 [notifications@github.com] Sent: Saturday, September 13, 2014 1:14 AM To: benlucchesi/grails-cookie-session-v2 Subject: [grails-cookie-session-v2] Always send set-cookie headers for all cookies. (#45)

Commit 6c44d44https://github.com/benlucchesi/grails-cookie-session-v2/commit/6c44d445a5b33d843b7cff985bec0584c6cef390 changed things such that set-cookie headers are sent only for the number of cookies received in the request. This works if the client sends all requests in strictly sequential order, but fails if it sends requests in parallel. The following scenario illustrates this:

  1. the client issues a request and receives 1 set-cookie (gsession-0).
  2. the client issues 2 requests in parallel, each with this one cookie
  3. the first response contains 2 set-cookie headers (gsession-0 and gsession-1)
  4. the second response contains 1 set-cookie header (gsession-0). At this point the client now has 2 cookies, but "mismatched": one from each response. The next request will fail because the concatenated result of the two cookies will not be valid.

So, this change reverts the behaviour introduced in the above commit, and we now always send N set-cookie headers (where N is the configured max cookie count).


You can merge this Pull Request by running

git pull https://github.com/roadrunner2/grails-cookie-session-v2 fix-session-corruption

Or view, comment on, or merge it at:

https://github.com/benlucchesi/grails-cookie-session-v2/pull/45

Commit Summary

File Changes

Patch Links:

— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/pull/45.