Page MenuHomePhabricator

WMF-Last-Access cookie breaks Java client
Closed, DeclinedPublic

Description

See note from SMalyshev

1:01 PM <SMalyshev> hey everybody! I noticed recently I've starting to get this error from my Java tool: 12:57:20.785 [main] WARN  o.a.h.c.p.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: WMF-Last-Access=06-May-2015;Path=/;HttpOnly;Expires=Sun, 07 Jun 2015 12:00:00 GMT". Invalid 'expires' attribute: Sun, 07 Jun 2015 12:00:00 GMT
1:01 PM <SMalyshev> did we add non-standard cookie headers recently?
1:01 PM <Ironholds> kevinator, I would thoroughly recommend sending engineering@ a note about the cookie
1:01 PM <SMalyshev> and if so, can it be done in a way that doesn't drive Java crazy? :)

Event Timeline

kevinator raised the priority of this task from to High.
kevinator updated the task description. (Show Details)
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 6 2015, 8:12 PM

Just to be clear and save digging in the code, the client used is org.apache.http.client, via org.apache.http.client.methods.HttpGet and org.apache.http.impl.client.CloseableHttpClient.

BBlack added a comment.May 6 2015, 8:20 PM

I *think* that Expires field is formatted correctly... does someone have a handy link to whatever deeper java code actually parses it and throws that error?

BBlack added a comment.May 6 2015, 8:22 PM

I mean, the org.apache.http.... code that actually parses the Set-Cookie

@BBlack It looks like Wikipedia examples are different :)
https://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15-Jan-2013 21:47:38 GMT; Path=/; Domain=.example.com; HttpOnly

but we have

Expires=Sun, 07 Jun 2015 12:00:00 GMT

The separator is space instead of -. The RFC (http://tools.ietf.org/html/rfc6265#section-5.1.1) says any delimiter out of %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E is OK but looks like Java has different opinion on that. May be org.apache.http.client bug or old implementation.

BBlack added a comment.May 6 2015, 8:33 PM

Ok, fair enough. The dashes seem to be more-common practice in any case. Working out a fix (too bad Varnish uses the spaces in its default formatting!).

Weird, it looks like by default Apache client should use this cookie spec class:
https://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.4.1/httpclient/src/main/java/org/apache/http/impl/cookie/RFC2109Spec.java
with date patterns:

final static String[] DATE_PATTERNS = {
     DateUtils.PATTERN_RFC1123,
     DateUtils.PATTERN_RFC1036,
     DateUtils.PATTERN_ASCTIME
 };

which are:

public static final String PATTERN_RFC1123 = "EEE, dd MMM yyyy HH:mm:ss zzz";
public static final String PATTERN_RFC1036 = "EEE, dd-MMM-yy HH:mm:ss zzz";
public static final String PATTERN_ASCTIME = "EEE MMM d HH:mm:ss yyyy";

so our date should work but for some reason it doesn't... I'll try to look deeper into what's going on there.

BBlack added a comment.May 6 2015, 8:53 PM

Well I don't know what the language of those patterns is, but it looks plausible that dashes alone may not fix this, if they expect two-digit years along with them. I'll wait and see what you turn up first.

BBlack added a comment.May 6 2015, 8:54 PM

(also, I think we're actually using apache's 4.4 not 4.4.1 in our stuff? in case it makes any diff)

kevinator closed this task as Declined.Jun 12 2015, 4:22 PM
kevinator claimed this task.

Please re-open this task if it is still a problem.

Milimetric moved this task from Next Up to Done on the Analytics-Kanban board.Feb 8 2016, 6:41 PM