Incorrect handling of Cookies

Question

Incorrect handling of Cookies

timmjd opened this issue 3 years ago · 2 comments

Jenkins and plugins versions report

Environment

Retrieving update center information
Update center URL: https://updates.jenkins.io/update-center.json?version=2.319.3
Cache entry expired: update-center-2.319.3. Will skip it
Cache miss for: update-center-2.319.3
Cache entry expired: experimental-update-center-2.319.3. Will skip it
Cache miss for: experimental-update-center-2.319.3
Cache entry expired: plugin-versions. Will skip it

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins Server on Kubernetes - Linux

Reproduction steps

Set JENKINS_UC_DOWNLOAD_URL to point to an AWS based Artifactory that does mirror http://mirrors.jenkins.io/plugins

Expected Results

No additional warnings

Actual Results

Warning for every download that gets executed

Feb 17, 2022 10:02:47 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: AWSALB=iD/6p7wm ... ; Expires=Thu, 24 Feb 2022 10:02:47 GMT; Path=/". Invalid 'expires' attribute: Thu, 24 Feb 2022 10:02:47 GMT
...
Feb 17, 2022 10:02:47 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: AWSALBCORS=5hHYZ2AwV/mmSL ... ; Expires=Thu, 24 Feb 2022 10:02:47 GMT; Path=/; SameSite=None; Secure". Invalid 'expires' attribute: Thu, 24 Feb 2022 10:02:47 GMT

Anything else?

Looks like cookies are not processed during the download: See https://stackoverflow.com/a/40697322

Answer 1 · 2022-02-17T11:29:14.000Z

see also: elastic/support-diagnostics#233 (comment)

and
https://issues.apache.org/jira/browse/AMQ-6571

probably an easy fix

Answer 2 · 2022-05-12T12:26:36.000Z

It is recommended to explicitly enable the STANDARD policy (see https://issues.apache.org/jira/browse/HTTPCLIENT-1763 and https://archive.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.4.x.txt):

Please note that the old cookie policy is still used by default for compatibility reasons. RFC 6265 compliant cookie
policies need to be explicitly configured by the user. Please also note that as of next feature
release support for Netscape draft, RFC 2109 and RFC 2965 cookie policies will be deprecated
and disabled by default. It is recommended to use RFC 6265 compliant policies for new applications
unless compatibility with RFC 2109 and RFC 2965 is required and to migrate existing applications
to the default cookie policy."

This will drop compatibility with ancient cookie policies, though...