The problem seems to be the return of the "," in the cookie header in a
request for the second user to access the form. This is accompanied by an
extra request as well.
Instead of requesting the from directly from our persistence API
/persistence/cpf/crud/CPF/IMTEST-5580/form/form.xhtml
it seems to make a request to orbeon first
/orbeon/fr/service/persistence/crud/CPF/IMTEST-5580/form/form.xhtml
which is then forwarding the request to our API.
The user account where it works does not have this intermediate request. It
is in this intermedia request that has the cookie header with the ','
separator in it.
What I see for the user who first accesses the form successfully are the
following requests (with relevant headers)
URI=/orbeon/fr/CPF/IMTEST-5580/view/201808234
cookie=JSESSIONID=goaYDR1Us_D674NSOj9CVNMkZLEZikEPDhSpU45G.localhost
cookie=JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
header=Cookie=JSESSIONID=goaYDR1Us_D674NSOj9CVNMkZLEZikEPDhSpU45G.localhost;
JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
method=GET
Response:
status=200
URI=/persistence/cpf/crud/CPF/IMTEST-5580/form/form.xhtml
cookie=JSESSIONID=fDisuvOtseTTjAexY5-dLENZqKIDGXy901_fsDge.localhost
cookie=JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
header=Cookie=JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
header=Cookie=JSESSIONID=fDisuvOtseTTjAexY5-dLENZqKIDGXy901_fsDge.localhost
method=GET
Response:
status=200
URI=/persistence/cpf/crud/CPF/IMTEST-5580/data/201808234/data.xml
cookie=JSESSIONID=fDisuvOtseTTjAexY5-dLENZqKIDGXy901_fsDge.localhost
cookie=JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
header=Cookie=JSESSIONIDSSO=5gmD1LXRbXwlqVl5sYiVdkdsxR2gvFDeD3UetnUq
header=Cookie=JSESSIONID=fDisuvOtseTTjAexY5-dLENZqKIDGXy901_fsDge.localhost
method=GET
Response:
status=200
but for the other user I get these requests and the request fails. You can
see that there is the additional request to /orbeon/fr/service/persistence
and it is there that the cookies are being mucked up. The ',' separated
cookie header ends up with a JSESSIONIDSSO cookie value with ' ,JSESSIONID'
appended to it and this is passed on to our persistence layer where it fails
to authenticate.
URI=/orbeon/fr/CPF/IMTEST-5580/view/201808234
cookie=JSESSIONID=S8OxRabqld0GWPV65q8BoEDaXjAj45k2rDoKMJt7.localhost
cookie=JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2
header=Cookie=JSESSIONID=S8OxRabqld0GWPV65q8BoEDaXjAj45k2rDoKMJt7.localhost;
JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2
method=GET
Response:
status=403
URI=/orbeon/fr/service/persistence/crud/CPF/IMTEST-5580/form/form.xhtml
cookie=JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2,
JSESSIONID
header=Cookie=JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2,
JSESSIONID=iQC_8alVjS-qeWU1RI-kmAnC7Uk4YMDLNn3-UIvp.localhost
method=GET
Response:
cookie=JSESSIONID=eCk_T65L-9yTnRS5KI5-xt2zxXOzL7mAFFKum5qe.localhost;
domain=null; path=/orbeon
cookie=JSESSIONIDSSO=null; domain=null; path=/
header=Set-Cookie=JSESSIONID=eCk_T65L-9yTnRS5KI5-xt2zxXOzL7mAFFKum5qe.localhost;
path=/orbeon
header=Set-Cookie=JSESSIONIDSSO=""; path=/; Max-Age=0;
Expires=Thu, 01-Jan-1970 00:00:00 GMT
status=401
URI=/persistence/cpf/crud/CPF/IMTEST-5580/form/form.xhtml
cookie=JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2,
JSESSIONID
header=Cookie=JSESSIONIDSSO=b2WWTihX3K03VgHGDAmgaecKdii607tGcVcJGbN2,
JSESSIONID
method=GET
Response:
cookie=JSESSIONIDSSO=null; domain=null; path=/
header=Set-Cookie=JSESSIONIDSSO=""; path=/; Max-Age=0;
Expires=Thu, 01-Jan-1970 00:00:00 GMT
status=401