Why does http components HttpClient remove quotes from Cookie values?

Question

I have an app that uses https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore 4.4.7 to do rest api calls.

I have a situation where I go to make an API against a secure web application:

HTTP GET request 1: https://myapp.com/api/myrestrequest

It sees that I am missing a JESSIONID cookie so it sends me through a 302 to another page to get one:

302 GET request 2: https://myapp.com/sso/dologin?referer=/api/myrestrequest

This page reads my SSO session cookie then sends me back to the original request:

HTTP GET request 3: https://myapp.com/api/myrestrequest

Easy enough, pretty normal. But during GET request 2, there is a special cookie created that looks like this:

J-Login-Cookie="a8966ab6c6d65a7d6a"

But when HTTP client saves this cookie to the cookie store, it saves it like this:

J-Login-Cookie=a8966ab6c6d65a7d6a

It removes the quotes.

Why is that? I am having to use an HttpRequestInterceptor to add my quotes back to the cookie value so that the request 3 doesn't fail. Is there some way to get it so that it stops removing those quotes?

curl does not have this same behavior.

[here](https://stackoverflow.com/questions/31662559) was the question about opposite behavour. And [here](https://github.com/golang/go/issues/10195) an explanation why Apache HTTP Client's behaviour is correct (beside the RFC itself) — Eir Nym, Sep 30 '18 at 22:57
yeah i think this is more correct than the answer that is present on the question so far. though the answer is still useful, in that it links to HttpCookie (part of JDK) that has this same behavior. — Nicholas DiPiazza, Oct 01 '18 at 21:06
Please include a bit of code showing how you are instantiating the client and executing the REST call. — Joseph Bui, Oct 02 '18 at 23:57

Joseph Bui · Answer 1 · 2018-10-01T14:53:40.103

1

Surrounding quotes are removed from values here:

https://android.googlesource.com/platform/libcore/+/android-cts-7.0_r1/ojluni/src/main/java/java/net/HttpCookie.java#1110

From the looks of it, you can surround your quoted value with apostrophes. Right before making the redirected request, iterate through all the cookies looking for J-Login-Cookie and change the value from "a8966ab6c6d65a7d6a" to '"a8966ab6c6d65a7d6a"' so that only the outer apostrophes will be removed.

This is basically the same as using the interceptor. Your only other option would be to use a different HTTP client library.

edited Oct 01 '18 at 14:53

answered Oct 01 '18 at 14:47

Joseph Bui

1,701
15
22

That is `HttpCookie` but I am using apache httpcomponents httpclient4.x. https://github.com/apache/httpcomponents-client/tree/4.5.6/httpclient/src/main/java/org/apache/http/impl/cookie they don't seem like the same thing. yes I already am iterating through the cookies and re-adding quotes to ones I know are missing them using request interceptors. – Nicholas DiPiazza Oct 01 '18 at 21:06

score 1 · Accepted Answer · edited Oct 07 '21 at 11:39

1

There was the question about opposite behavour.

Also I've found an explanation why Apache HTTP Client's behaviour is correct (beside the RFC itself)

HTTP State Management Mechanism RFC

UPDATE:

Source of Apache HTTP Client cookie parser, and some tests for it. Links are to the master branch, fill free to adjust branch and commit version as you need.

edited Oct 07 '21 at 11:39

Community

1
1

answered Oct 01 '18 at 21:21

Eir Nym

1,515
19
30

do you by any chance have a link to the source in apache http client that does the quote removal? the answer above included that but for the wrong project – Nicholas DiPiazza Oct 02 '18 at 12:55
Updated my answer – Eir Nym Oct 03 '18 at 09:30

Why does http components HttpClient remove quotes from Cookie values?

2 Answers2