Disable Cookie Management in HttpClient provider

mkopylec / charon-spring-boot-starter

Reverse proxy implementation in form of a Spring Boot starter.

Apache License 2.0

240 stars 54 forks source link

Disable Cookie Management in HttpClient provider #69

Closed jecuendet closed 5 years ago

jecuendet commented 5 years ago

Don't stock the cookies that are sent between the client and the browser This can cause a lot of problems around mixing Sessions between HTTP connections This can lead to Session steal from a user to another! Hint: Spring Cloud Hystrix also disables it by default

jecuendet commented 5 years ago

After merge, please backport to 2.6.x branch and release a version against spring-boot 1.5.x

mkopylec commented 5 years ago

I not sure if this should be the default behaviour. If you'd like to customize the http client you can do it on your own by extending HttpClientProvider Srping bean.

jecuendet commented 5 years ago

In Spring Cloud, it's disabled by default See: RibbonLoadBalancingHttpClient HttpClientFeignLoadBalancedConfiguration DefaultApacheHttpClientFactory

Look for disableCookieManagement

IMO, this is a better default to disable it...

mkopylec commented 5 years ago

Hi, the new version of Charon will expose a cookie rewriting configuration so you will be able to configure how cookies have to be handled:

do not inculde cookies in outgoing response
include cookies in outgoing response and rewrite its server to client host and path to /
custom behaviour

mkopylec commented 5 years ago

The 4.0.0 is out and it provides configurable cookies handling.