Cookie saved and reused in 10CR2 for different request.
search cancel

Cookie saved and reused in 10CR2 for different request.

book

Article ID: 249314

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have recently upgraded our gateways from version 10.0 CR4 to 10.1 CR2. We are seeing some behavior differences related to cookies when the gateway is making an outbound route.

It seems like the gateway is caching for a period of time cookies set by the backend API. On subsequent calls, it is sending the cookies even if the gateway is handling a new request.

If you make any change to the gateway policy (e.g. adding an audit assertion), the gateway seems to reset its cache.

We have tried multiple things including explicitly trying to remove the cookie from the request and modifying the routing assertion to not send the Cookie header. No luck. I'm attaching the policy I have been testing with if that helps.

 

Environment

Release : 10.1

Component : API GATEWAY

Cause

It looks like an issue from http-client 4.5.x lib upgrade. There's a difference about the context usage while processing the request. This issue can be observed only when state pool is enabled for http routing.

Old http client: https://github.com/apache/httpcomponents-client/blob/rel/v4.2.5/httpclient/src/main/java/org/apache/http/impl/client/AbstractHttpClient.java#L855

New http client: https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/impl/client/InternalHttpClient.java#L164.

In the new library http.cookie-store is making the difference as it remembers the cookies from the previous request/response processing.  As the gateway don't want the cookie management at routing level, we could go with the cookie management disabled for http client.

    HttpClientBuilder.disableCookieManagement();

Above setting over the http client builder ensures not to process the cookies from request/response messages.

Resolution

The work around is to disable routing state pool: 

In system.properties file set

/opt/SecureSpan/Gateway/node/default/etc/conf/system.properties

com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable=false

service ssg restart 

*** Special note: Disabling statePool will affect HTTP Keep alive on outbound routes. So this could cause some additional performance concerns if you are utilizing keep-alive on http routing assertions. (This does not affect keep-alive on inbound gateway connections to the http listen port).

Also a hotfix is available upon request:  DE545252_Fix_ViewingSSGLogsFrom_OtherNodes.

And a support case can be opened a fix can be requested. 

 

Powered by Wolken Software