spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard
verified publisher icon spring-projects

Incompatibility with Apache Http Client 4.x due to Cookie Expires date format

Open aschepp opened this issue 5 months ago • 0 comments

Describe the bug With Commit https://github.com/spring-projects/spring-session/commit/00465a6f00bef564796c4a34a9228efb5fe6ede9 you created your own implementation of the Set-Cookie header in DefaultCookieSerializer.writeCookieValue(...). But the date format in the Expires field is not spec compliant to the Netscape Draft spec. With the change you set the date format to RFC1123 which has spaces in between the date fields, but the original spec requires dashes in between the date fields.

We encountered this issue, when using Apache Http Client 4.x against one of our servers. Apache Http Client 4.x support the Netscape Draft Spec, RFC2109 and RFC2965. If the expires field is present, it defaults to the Netscape Draft Spec and the date format with dashes. Code It then continues to fail to parse the Session Cookie.

Apache Http Clients version 5.x are okay, because then the RFC6265 is used.

Feel free to close this ticket, if you think it's not necessary to support these old clients anymore.

aschepp avatar Aug 15 '25 14:08 aschepp