Bug 65505 - MimeHeaders setValue Order problem
Summary: MimeHeaders setValue Order problem
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Util (show other bugs)
Version: 9.0.43
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-18 12:02 UTC by Recall
Modified: 2021-08-24 14:30 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Recall 2021-08-18 12:02:58 UTC
If I use Shiro's rememberMe when COMPRESSION is enabled, it will cause rememberMe's cookie to fail to work

import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.ResponseUtil;
import org.junit.Test;

public class TomcatMixHeadersTest {

    /***
     * === MimeHeaders ===
     * Vary = Origin
     * Vary = Access-Control-Request-Method
     * Vary = Access-Control-Request-Headers
     * Access-Control-Allow-Origin = https://xxxx
     * Access-Control-Allow-Credentials = true
     * Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax
     * Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
     */
    @Test
    public void testMimeHeaders() {
        MimeHeaders responseHeaders = new MimeHeaders();
        responseHeaders.addValue("Vary").setString("Origin");
        responseHeaders.addValue("Vary").setString("Access-Control-Request-Method");
        responseHeaders.addValue("Vary").setString("Access-Control-Request-Headers");
        responseHeaders.addValue("Access-Control-Allow-Origin").setString("https://xxxx");
        responseHeaders.addValue("Access-Control-Allow-Credentials").setString("true");
        responseHeaders.addValue("Set-Cookie").setString("rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax");
        responseHeaders.addValue("Set-Cookie").setString("rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax");

        System.out.println(responseHeaders);

        ResponseUtil.addVaryFieldName(responseHeaders, "accept-encoding");

        // same up code 
        // responseHeaders.setValue("Vary").setString("origin,access-control-request-method,access-control-request-headers,accept-encoding");

        System.out.println(responseHeaders);
    }

}


The execution result is

=== MimeHeaders ===
Vary = Origin
Vary = Access-Control-Request-Method
Vary = Access-Control-Request-Headers
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax

=== MimeHeaders ===
Vary = origin,access-control-request-method,access-control-request-headers,accept-encoding
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true

The order of the Header set-cookie was changed, 

The code source address is 

org/apache/tomcat/embed/tomcat-embed-core/9.0.43/tomcat-embed-core-9.0.43-sources.jar!/org/apache/coyote/CompressionConfig.java:280

org.apache.tomcat.util.http.ResponseUtil#addVaryFieldName(org.apache.tomcat.util.http.MimeHeaders, java.lang.String)

org.apache.tomcat.util.http.MimeHeaders#setValue
Comment 1 Mark Thomas 2021-08-24 14:30:34 UTC
Thanks for the report. The root cause was that the removeHeader method changed the order.

Fixed in:
- 10.1.x for 10.1.0-M5 onwards
- 10.0.x for 10.0.11 onwards
- 9.0.x for 9.0.53 onwards
- 8.5.x for 8.5.71 onwards