oxf.http.forward-cookies issue in case of invalid JSESSIONID

Hello All,

I am experiancing an issue with the "oxf.http.forward-cookies" property. I'll try and make the description as clear as possible.

I have a webapp which is configured to forward some extra cookie "m", this line is added in my properties-local.xml:

<property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID JSESSIONIDSSO m" />.

I try to open a forms through that webapp which is specified to initialize and an instance through a submission triggered at xforms-construct-done :

<xforms:instance xxforms:readonly="true" xxforms:cache="true" id="dropdownlist">
        <dummy></dummy>
</xforms:instance>
<xforms:submission id="s-d2e15-dropdownlist" method="get" instance="dropdownlist" replace="instance" serialization="none" action="someurl"></xforms:submission>
<xforms:send ev:event="xforms-model-construct-done" submission="s-d2e15-dropdownlist"></xforms:send>

The call to "someurl" should include the additional "m" cookie, which it does in some cases but not all. When the user opens the form but his JSESSIONID is not longer valid (or empty) on the server, the server notices that the session is not valid and creates a new session, However in this case no cookies are forwarded to the "someurl" call.

I have debugged the scala code somewhat and found this in org.orbeon.oxf.util.Connection.scala :

private def sessionCookieFromIncoming(
            externalContext: ExternalContext,
            nativeRequest: HttpServletRequest,
            cookiesToForward: Seq[String],
            sessionCookieName: String)(implicit logger: IndentedLogger): Option[(String, Array[String])] = {

        // Figure out if we need to forward session cookies. We only forward if there is the requested
        // session id is the same as the current session. Otherwise, it means that the current session is no
        // longer valid, or that the incoming cookie is out of date.
        def requestedSessionIdMatches =
            Option(externalContext.getSession(false)) exists { session ⇒
                val requestedSessionId = externalContext.getRequest.getRequestedSessionId
                session.getId == requestedSessionId
            }

        val cookies = Option(nativeRequest.getCookies) getOrElse Array.empty[Cookie]
        if (requestedSessionIdMatches && cookies.nonEmpty) {

            val pairsToForward =
                for {
                    cookie ← cookies
                    if cookiesToForward.contains(cookie.getName)
                } yield
                    cookie.getName + '=' + cookie.getValue

            if (pairsToForward.nonEmpty) {

                // Multiple cookies in the header, separated with ";"
                val cookieHeaderValue = pairsToForward mkString "; "

                debug("forwarding cookies", Seq(
                    "cookie" → cookieHeaderValue,
                    "requested session id" → externalContext.getRequest.getRequestedSessionId))

                Some("cookie" → Array(cookieHeaderValue))
            } else
                None
        } else
            None
    }

When defining "requestedSessionIdMatches" the getSession will return null which defined the boolean as begin false, in that case nothing is forwarded because of : "if (requestedSessionIdMatches && cookies.nonEmpty) {".

If I alter the code slightly :

 - "if (requestedSessionIdMatches && cookies.nonEmpty) {" --> "if (cookies.nonEmpty ) {"
 - "if cookiesToForward.contains(cookie.getName)" --> "if (cookiesToForward.contains(cookie.getName) && (sessionCookieName != cookie.getName || requestedSessionIdMatches))"

The my use case works and the "m" cookie is at least forwarded in the call to "someurl".

Now my question(s):

Why is there nothing forwarded if the incoming session is invalid, this can be the case when opening a form for the first time after server restart?
Am I on the right track with the current modification ?
At that point orbeon already created a new session, should the JSESSIONID cookie for that session not be passed to the call to "someurl" ?

Is the description a bit clear ?
Do you need more information on this?

This problem is quite urgent, hence the reason for this reminder post.

Hi Christophe,

First, the "easy" part: when the first query comes in, we don't yet have a JSESSIONID (or if we do, it is an incorrect one, and forwarding it wouldn't help). Now, this usually isn't a problem:

- With BASIC auth, the xf:submission can forward the Authorization header, so it can access the service and the service knows who the user is.
- With form-based auth, the JSESSIONID is set when users log in, then there is a redirect to the form, which hence receives a proper JSESSIONID.
- With no authentication, on the first request no JSESSIONID is forwarded, but this isn't a problem since: (a) there is no concern of relying on the JSESSIONID to know who the user is (we're in the case of an anonymous user) and (b) the Orbeon Forms services don't rely on a session being shared between the caller and callee.

Now, as far as another cookie being forwarded, I think you're right. This was already reported way-back-when, but somehow we were not able to reproduce the problem at the time. I tried now, and was able to reproduce it. So I pushed a fix along the lines of what you suggested, and this will be in the upcoming 4.7 release. For tracking, this was the issue:

https://github.com/orbeon/orbeon-forms/issues/1070

Alex

Thanks for the quick reply and quick fix. I was able to incorporate the fix into my setup and all is well now.