Page MenuHomePhabricator

WMF-Last-Access cookie breaks Java client
Closed, DeclinedPublic


See note from SMalyshev

1:01 PM <SMalyshev> hey everybody! I noticed recently I've starting to get this error from my Java tool: 12:57:20.785 [main] WARN  o.a.h.c.p.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: WMF-Last-Access=06-May-2015;Path=/;HttpOnly;Expires=Sun, 07 Jun 2015 12:00:00 GMT". Invalid 'expires' attribute: Sun, 07 Jun 2015 12:00:00 GMT
1:01 PM <SMalyshev> did we add non-standard cookie headers recently?
1:01 PM <Ironholds> kevinator, I would thoroughly recommend sending engineering@ a note about the cookie
1:01 PM <SMalyshev> and if so, can it be done in a way that doesn't drive Java crazy? :)

Event Timeline

kevinator raised the priority of this task from to High.
kevinator updated the task description. (Show Details)

Just to be clear and save digging in the code, the client used is org.apache.http.client, via org.apache.http.client.methods.HttpGet and org.apache.http.impl.client.CloseableHttpClient.

I *think* that Expires field is formatted correctly... does someone have a handy link to whatever deeper java code actually parses it and throws that error?

I mean, the org.apache.http.... code that actually parses the Set-Cookie

@BBlack It looks like Wikipedia examples are different :)

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15-Jan-2013 21:47:38 GMT; Path=/;; HttpOnly

but we have

Expires=Sun, 07 Jun 2015 12:00:00 GMT

The separator is space instead of -. The RFC ( says any delimiter out of %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E is OK but looks like Java has different opinion on that. May be org.apache.http.client bug or old implementation.

Ok, fair enough. The dashes seem to be more-common practice in any case. Working out a fix (too bad Varnish uses the spaces in its default formatting!).

Weird, it looks like by default Apache client should use this cookie spec class:
with date patterns:

final static String[] DATE_PATTERNS = {

which are:

public static final String PATTERN_RFC1123 = "EEE, dd MMM yyyy HH:mm:ss zzz";
public static final String PATTERN_RFC1036 = "EEE, dd-MMM-yy HH:mm:ss zzz";
public static final String PATTERN_ASCTIME = "EEE MMM d HH:mm:ss yyyy";

so our date should work but for some reason it doesn't... I'll try to look deeper into what's going on there.

Well I don't know what the language of those patterns is, but it looks plausible that dashes alone may not fix this, if they expect two-digit years along with them. I'll wait and see what you turn up first.

(also, I think we're actually using apache's 4.4 not 4.4.1 in our stuff? in case it makes any diff)

kevinator claimed this task.

Please re-open this task if it is still a problem.

hashar subscribed.

The same happens on Gerrit which uses org.apache.httpcomponents:httpclient:4.5.2. It does not recognizes the expires value. Filed as T273605