Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stateful session cookie additional attributes #36846

Open
vestemeanv opened this issue Oct 27, 2024 · 9 comments
Open

stateful session cookie additional attributes #36846

vestemeanv opened this issue Oct 27, 2024 · 9 comments
Labels
area/cookies enhancement Feature requests. Not bugs or questions. help wanted Needs help!

Comments

@vestemeanv
Copy link

Title: Cannot set additional cookie attributes for stateful session cookies

Description:
There should be a way to set additional attributes for self generated cookies (#27529).
Trying to set those with LUA also fails as this does not see self-generated stateful session cookie since there's a variety of browsers that look at for example SameSite

Repro steps:
Just the LUA repro below. Further I could not find a way to set the cookie attributes for the stateful session.

 > .cookies; curl -Ik -c .cookies -b .cookies -H "Host: instance2.local" --resolve instance2.local:10002:127.0.0.1 https://instance2.local:10002/webaddr 
HTTP/1.1 200 OK
set-cookie: JSESSIONID=9997; Path=/; HttpOnly
date: Sun, 27 Oct 2024 23:10:01 GMT
content-length: 21
content-type: text/plain; charset=utf-8
x-envoy-upstream-service-time: 0
set-cookie: sticky_cookie="Cg4xMjcuMC4wLjE6OTk5Nw=="; Path=/; HttpOnly
server: envoy

The LUA script logs only the below cookie. It does not look like it has access to sticky_cookie

[2024-10-27 23:10:01.008][13][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:946] script log: JSESSIONID=9997; Path=/; HttpOnly

LUA script:

function envoy_on_response(response_handle)
  response_handle:logInfo(response_handle:headers():get("Set-Cookie"))
end

Also the config below did not set the Secure flag for the cookie

    response_headers_to_add:
    - header:
         key: "set-cookie"
         value: "%RESP(set-cookie)%; Secure"
      append_action: OVERWRITE_IF_EXISTS

Attached the config for /stats, /clusters and /server_info and /config_dump
@vestemeanv vestemeanv added bug triage Issue requires triage labels Oct 27, 2024
@vestemeanv
Copy link
Author

envoy.tar.gz
Attachment

@vestemeanv
Copy link
Author

vestemeanv commented Oct 27, 2024
edited
Loading

I can't find a way to set cookie attributes into the statueful session cookie
If there is a way to set the cookie attributes could you please help me understand how to do that.
Thanks

@nezdolik nezdolik added area/cookies and removed triage Issue requires triage labels Oct 28, 2024
@nezdolik
Copy link
Member

cc @wbpcode @cpakulski

@wbpcode
Copy link
Member

wbpcode commented Oct 30, 2024
edited
Loading

I can't find a way to set cookie attributes into the statueful session cookie If there is a way to set the cookie attributes could you please help me understand how to do that. Thanks

The cookie_attributes is not supported in the stateful session cookie (I changed this issue as a feature requirement). And I think you can alos change it by lua filter if your lua filter is before stateful seesion filter in the http_filters list.

@wbpcode wbpcode added enhancement Feature requests. Not bugs or questions. help wanted Needs help! and removed bug labels Oct 30, 2024
@rudrakhp
Copy link
Member

The cookie_attributes is not supported in the stateful session cookie (I changed this issue as a feature requirement).

@wbpcode Is the ask here to support setting arbitrary cookie attributes in the statueful session cookie API?

And I think you can alos change it by lua filter if your lua filter is before stateful session filter in the http_filters list.

Does the stateful session filter append if there are existing cookie attributes?

@wbpcode
Copy link
Member

wbpcode commented Oct 30, 2024

@wbpcode Is the ask here to support setting arbitrary cookie attributes in the statueful session cookie API?

Yeah, but require some body has time. I basically could help to review or bug fix. But have no bandwidth for new feature. Or would you like to contribute? Modern c++ developing is not complex. 😃

Does the stateful session filter append if there are existing cookie attributes?

Because the set-cookie will be set when processing response. And when processing response, the excution order of http filter chain is reverse of the http_filters order.
If you lua filter is before of stateful session filter in the http_filters, then when processing response, lua filter will be exectuted after the stateful session, then you can change the set-cookie that added by the stateful session at lua filter.

@rudrakhp
Copy link
Member

Yeah, but require some body has time. I basically could help to review or bug fix.

@wbpcode Sure I can take it up as my first 💯

And when processing response, the excution order of http filter chain is reverse of the http_filters order.

Makes sense 👍

@vestemeanv
Copy link
Author

Thanks a lot for the help so far. I can confirm that moving the lua filter before the stateful session makes the stateful cookie available for the lua script.

[2024-10-30 12:57:00.688][10][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:946] script log: JSESSIONID=9997; Path=/; HttpOnly,sticky_cookie="Cg4xMjcuMC4wLjE6OTk5Nw=="; Path=/; HttpOnly

@geraldstanje
Copy link

hi @vestemeanv can you show a demo sample?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cookies enhancement Feature requests. Not bugs or questions. help wanted Needs help!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@geraldstanje @wbpcode @nezdolik @vestemeanv @rudrakhp