I have an app that uses https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore 4.4.7 to do rest api calls.
I have a situation where I go to make an API against a secure web application:
HTTP GET request 1: https://myapp.com/api/myrestrequest
It sees that I am missing a JESSIONID cookie so it sends me through a 302 to another page to get one:
302 GET request 2: https://myapp.com/sso/dologin?referer=/api/myrestrequest
This page reads my SSO session cookie then sends me back to the original request:
HTTP GET request 3: https://myapp.com/api/myrestrequest
Easy enough, pretty normal. But during GET request 2, there is a special cookie created that looks like this:
J-Login-Cookie="a8966ab6c6d65a7d6a"
But when HTTP client saves this cookie to the cookie store, it saves it like this:
J-Login-Cookie=a8966ab6c6d65a7d6a
It removes the quotes.
Why is that? I am having to use an HttpRequestInterceptor
to add my quotes back to the cookie value so that the request 3 doesn't fail. Is there some way to get it so that it stops removing those quotes?
curl
does not have this same behavior.
There was the question about opposite behavour.
Also I've found an explanation why Apache HTTP Client's behaviour is correct (beside the RFC itself)
HTTP State Management Mechanism RFC
UPDATE:
Source of Apache HTTP Client cookie parser, and some tests for it. Links are to the master
branch, fill free to adjust branch and commit version as you need.