Page MenuHomePhabricator
Create Task
Maniphest T98396

WMF-Last-Access cookie breaks Java client
Closed, DeclinedPublic
Actions

Description

See note from SMalyshev

1:01 PM <SMalyshev> hey everybody! I noticed recently I've starting to get this error from my Java tool: 12:57:20.785 [main] WARN  o.a.h.c.p.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: WMF-Last-Access=06-May-2015;Path=/;HttpOnly;Expires=Sun, 07 Jun 2015 12:00:00 GMT". Invalid 'expires' attribute: Sun, 07 Jun 2015 12:00:00 GMT
1:01 PM <SMalyshev> did we add non-standard cookie headers recently?
1:01 PM <Ironholds> kevinator, I would thoroughly recommend sending engineering@ a note about the cookie
1:01 PM <SMalyshev> and if so, can it be done in a way that doesn't drive Java crazy? :)

Related Objects

Event Timeline

kevinator created this task.May 6 2015, 8:12 PM
kevinator raised the priority of this task from to High.
kevinator updated the task description. (Show Details)
kevinator added projects: Analytics-Clusters, Analytics-Kanban.
kevinator added subscribers: kevinator, BBlack, Milimetric.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 6 2015, 8:12 PM
Milimetric added a comment.EditedMay 6 2015, 8:14 PM

code that is having trouble with the new cookie: https://github.com/wikimedia/wikidata-query-rdf/blob/master/tools/src/main/java/org/wikidata/query/rdf/tool/wikibase/WikibaseRepository.java

and specifically:

https://github.com/wikimedia/wikidata-query-rdf/blob/master/tools/src/main/java/org/wikidata/query/rdf/tool/wikibase/WikibaseRepository.java#L221

Smalyshev subscribed.May 6 2015, 8:15 PM
Smalyshev added a comment.May 6 2015, 8:19 PM

Just to be clear and save digging in the code, the client used is org.apache.http.client, via org.apache.http.client.methods.HttpGet and org.apache.http.impl.client.CloseableHttpClient.

BBlack added a comment.May 6 2015, 8:20 PM

I *think* that Expires field is formatted correctly... does someone have a handy link to whatever deeper java code actually parses it and throws that error?

Milimetric added a comment.May 6 2015, 8:21 PM

@BBlack: I think it's this code here: https://github.com/wikimedia/wikidata-query-rdf/blob/master/tools/src/main/java/org/wikidata/query/rdf/tool/wikibase/WikibaseRepository.java#L221

BBlack added a comment.May 6 2015, 8:22 PM

I mean, the org.apache.http.... code that actually parses the Set-Cookie

Smalyshev added a comment.May 6 2015, 8:26 PM

@BBlack It looks like Wikipedia examples are different :)
https://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15-Jan-2013 21:47:38 GMT; Path=/; Domain=.example.com; HttpOnly

but we have

Expires=Sun, 07 Jun 2015 12:00:00 GMT

The separator is space instead of -. The RFC (http://tools.ietf.org/html/rfc6265#section-5.1.1) says any delimiter out of %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E is OK but looks like Java has different opinion on that. May be org.apache.http.client bug or old implementation.

BBlack added a comment.May 6 2015, 8:33 PM

Ok, fair enough. The dashes seem to be more-common practice in any case. Working out a fix (too bad Varnish uses the spaces in its default formatting!).

Smalyshev added a comment.May 6 2015, 8:41 PM

Weird, it looks like by default Apache client should use this cookie spec class:
https://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.4.1/httpclient/src/main/java/org/apache/http/impl/cookie/RFC2109Spec.java
with date patterns:

final static String[] DATE_PATTERNS = {
     DateUtils.PATTERN_RFC1123,
     DateUtils.PATTERN_RFC1036,
     DateUtils.PATTERN_ASCTIME
 };

which are:

public static final String PATTERN_RFC1123 = "EEE, dd MMM yyyy HH:mm:ss zzz";
public static final String PATTERN_RFC1036 = "EEE, dd-MMM-yy HH:mm:ss zzz";
public static final String PATTERN_ASCTIME = "EEE MMM d HH:mm:ss yyyy";

so our date should work but for some reason it doesn't... I'll try to look deeper into what's going on there.

BBlack added a comment.May 6 2015, 8:53 PM

Well I don't know what the language of those patterns is, but it looks plausible that dashes alone may not fix this, if they expect two-digit years along with them. I'll wait and see what you turn up first.

BBlack added a comment.May 6 2015, 8:54 PM

(also, I think we're actually using apache's 4.4 not 4.4.1 in our stuff? in case it makes any diff)

kevinator closed this task as Declined.Jun 12 2015, 4:22 PM
kevinator claimed this task.

Please re-open this task if it is still a problem.

Milimetric moved this task from Next Up to Done on the Analytics-Kanban board.Feb 8 2016, 6:41 PM
JulesWinnfield-hu subscribed.Feb 11 2016, 10:52 AM
hashar mentioned this in T273605: org.apache.http.client.protocol.ResponseProcessCookies : Invalid cookie header for WMF-Last-Access.Feb 2 2021, 11:48 AM
hashar subscribed.

The same happens on Gerrit which uses org.apache.httpcomponents:httpclient:4.5.2. It does not recognizes the expires value. Filed as T273605

Milimetric edited projects, added Analytics; removed Analytics-Clusters.Feb 5 2021, 8:15 PM
hashar mentioned this in T262996: Don't set cookies in traffic layer for non-user facing domains (avoid false third-party cookie warning).Nov 8 2022, 8:37 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits