Redirection cookie handling tests for issue #2671#2672
Closed
Zerkath wants to merge 2 commits into
Closed
Conversation
Redirects do not apply set-cookie in the request chain meaning multistep request chains that track state will be missing cookies in the middle of redirection, only real alternative is manual control After redirection chain completes any set-cookies that started or were in the middle of the request chain get ignored. Only the last responses set-cookie's will be applied. It is possible to collect the cookies / headers from response.history, but adds complexity.
Member
|
Thanks for the report and the failing test case @Zerkath. I've opened #2897, which implements the opt-in |
adamw
added a commit
that referenced
this pull request
May 29, 2026
…2897) Closes #2671. Supersedes #2672 (which added a failing test demonstrating the problem, but no fix). ## Problem The `Cookie` header is a sensitive header, so it is stripped when following a redirect. As a result, cookies set via `Set-Cookie` during a redirect chain were never sent to subsequent requests in that chain (see #2671). ## Approach Implements the design @adamw outlined in #2671: an opt-in cookie jar. - New `sttp.client4.wrappers.CookieStorage` — an immutable cookie jar. `set(setBy, cookies)` collects `Set-Cookie` cookies (rejecting ones whose `Domain` doesn't match the setting host); `forUri(uri)` returns the cookies to send to a URI. Matching follows a subset of [RFC 6265](https://www.rfc-editor.org/rfc/rfc6265): domain-matching, path-matching and the `Secure` attribute. Time-based expiry isn't tracked, but `Max-Age` <= 0 removes a cookie. - `RequestBuilder.cookieStorage(storage)` attaches a storage to a request (via a request attribute). - `FollowRedirectsBackend` (applied to all backends by default), when a storage is attached, sends the matching stored cookies with each request in a redirect chain and threads an updated storage through to the next request. **Default behaviour is unchanged** unless a `CookieStorage` is explicitly attached. ## Tests - `CookieStorageTest` — domain/host-only isolation, subdomain matching, cross-domain rejection, path, `Secure`, overwrite and `Max-Age` deletion. - `FollowRedirectsBackendTest` — cookies set across a redirect chain reach subsequent requests when a storage is attached, and are not carried when it isn't. Full `core` suite passes (631 tests), cross-compiled for Scala 2.12 / 2.13 / 3. Credit to @Zerkath for the original report and test case in #2671 / #2672. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tests for #2671 which are now failing with the following output:
Before submitting pull request:
sbt compilesbt compileDocssbt testsbt scalafmt