Type: Problem report
Affects Version/s: 3.0.24, 4.0.2, 4.2.0alpha3
Sprint:Sprint 48, Jan 2019, Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
Zabbix uses a comma to join multiple same header fields. However for cookies, this results in corrupted cookies. Cookie headers should be joined with a semicolon, as specified by the spec (RFC 6265).
Steps to reproduce:
- Setup web performance check.
- The server should return a cookie header `Set-Cookie: A=B` in step 1.
- Step 2 should send a cookie header `Cookie: C=D`.
- Inspect the actual request sent by Zabbix in step 2.
The request specifies the headers as follows:
Cookie: A=B, C=D
This is parsed by some servers (e.g. ASP.NET) as a cookie with name "A" and value "B, C=D".
Cookie: A=B; C=D
This will be parsed by all RFC6265 compliant servers as two cookies; "A" with value "B" and "C" with value "D".
Note that the comma was a valid separator when the web was using "Netscape compliant cookies", especially RFC2109. However that RFC has been superseded by RFC 6265, and that only lists the semicolon as a valid separator:
The user agent sends stored cookies to the origin server in the Cookie header. If the server conforms to the requirements in Section 4.1 (and the user agent conforms to the requirements in Section 5), the user agent will send a Cookie header that conforms to the following grammar:
cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair )
Multiple cookies returned from the server will correctly be joined by a semicolon. However when a custom header cookie is specified, it will be appended to the server-specified cookies and separated by a comma. As a result of this, the last cookie returned by the server will be corrupted.