Cookie explicitly set on the request is getting discarded in favor of the one from the cookie jar

Question

Cookie explicitly set on the request is getting discarded in favor of the one from the cookie jar

Spikhalskiy opened this issue a year ago · 3 comments

Expected Behavior

A cookie explicitly specified on a RequestBuilder should take precedence over a cookie stored in cookie jar.

Actual Behavior

cookieStore = httpClient.getCookieStore();
cookieStore.add("some_url", new DefaultCookie("name", "value1"));
BoundRequestBuilder requestBuilder = httpClient.prepareGet("some_url");
requestBuilder.addCookie(new DefaultCookie("name", "value2"));
httpClient.executeRequest(requestBuilder.build())

This code leads to a request being performed with cookie "name":"value1", which is not what is expected by a user when a user explicitly sets a cookie on a RequestBuilder.

Root cause

Cookies from cookie jar are overriding cookies coming from the RequestBuilder here

Affected version

2.12.3, 3.0 pre-releases

Answer 1 · 2024-11-13T22:12:36.000Z

The supplied link puts the commit hash in the wrong place, but the root cause is that it blindly overrides Cookies by using addOrReplaceCookie(cookie) from the CookieStore, but it should only be using addCookie(cookie), which is even then dangerous if it's duplicating.

https://github.com/AsyncHttpClient/async-http-client/blob/661ec72/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java#L238

Answer 2 · 2024-11-14T20:26:45.000Z

I've added a PR that only uses Cookies from the CookieStore if they're unset.

#2033

Answer 3 · 2024-12-02T19:53:46.000Z

As a note, you can workaround this issue -- if you don't actually want the CookieStore -- by disabling it upon client creation:

DefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()
    .setCookieStore(null)