Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy Max-Age cookie attribute to VCAP_ID unconditionally #429

Open
hoffmaen opened this issue Jul 16, 2024 · 0 comments
Open

Copy Max-Age cookie attribute to VCAP_ID unconditionally #429

hoffmaen opened this issue Jul 16, 2024 · 0 comments

Comments

@hoffmaen
Copy link
Contributor

Current behavior

With the current implementation of session handling, gorouter sets a VCAP_ID cookie if a session cookie, by default JSESSIONID, is present in the application response. Some cookie parameters, such as the Expiry timestamp and the 'Partitioned' flag, are copied from the session cookie to VCAP_ID. However, the Max-Age attribute is only copied if its value in the session cookie is 0 or negative. This is an inconsistent behaviour, as the Expiry attribute is always copied, and Max-Age takes precedence over Expiry.

This can lead to unexpected and undesired behaviour: When providing a positive Max-Age value for the session cookie, it can expire once Max-Age has been reached, but the VCAP_ID cookie is still valid. In the next request, gorouter will not consider it, as the expired session cookie is missing.

However, in the case the orphan VCAP_ID cookie is unpartitioned, and the next session cookie retrieved by another instance is partitioned, two VCAP_ID cookies will co-exist (one partitioned and one unpartitioned). The session cookie matches to the instance of the partitioned VCAP_ID cookie, which can differ from the unpartitioned and still valid VCAP_ID cookie.

By default, cookies with the same path are sorted by their creation-times. Hence, the unpartitioned VCAP_ID cookie, along the partitioned session cookie, are effective. As the session cookie doesn't match to the instance in the unpartitioned VCAP_ID cookie, the instance will cause another authentication flow.

We cannot rule our that other scenarios might occur when the Max-Age attribute is not copied to the VCAP_ID cookie.

The conditional Max-Age attribute has been introduced 10 years ago with a bugfix resolving an issue that prevented reestablishing a sticky session.

Are there other reasons why we would want to keep the VCAP_ID cookie after the session cookie has expired?

Desired behavior

The Max-Age cookie attribute should unconditionally be copied from the session cookie to the VCAP_ID cookie.

Affected Version

current main
@hoffmaen hoffmaen changed the title Max-Age Cookie Attribute not copied to VCAP_ID Copy Max-Age cookie attribute to VCAP_ID unconditionally Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Application Runtime Platform Working Group
Status: Inbox
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hoffmaen