Diagnostic data for forwarding cookies issue
10 views
Skip to first unread message
Marcin Słowikowski
May 4, 2026, 11:54:02 AM (12 days ago) May 4
to Orbeon Forms
Hello Dear Orbeon-team,
Sorry for avalanche of problems earlier, now there is one extra issue and I have some diagnostic data that might help You fix this one up as it is quite close to be working (it works okay in most places).
The thing in question is cookie forwarding toward external persistence API.
And I guess You had this problem earlier at:
https://github.com/orbeon/orbeon-forms/issues/7066
As I discovered this problem in orbeon2023.1-ce and I can't currently confirm it's in version 2025 (but I'm assuming it still is since ticket is open) I'm not opening a new ticket, I'll just comment on old one.
Btw running Orbeon on Wildfly.
Currently found workaround on by using header forwarding.
Changing order of the cookie forwarding names also breaks logic and forwarding cookie-header in header forwarding also ended tragically.
I'm assuming it might be related to the handing in Connection.scala class.
TL;DR - problem is in some places but other places work fine, sometimes JSESSIONID is ommited (HEAD methods), sometimes present, logic is botched when cookie names list changes order or JSESSIONID is not first cookie forward or cookie header is forwarded as header itself.
Below is presented diagnostic data that allowed me to pinpoint some of the problems with cookies forwarding.
configuration inside properties-local.xml (some custom JWT related cookies specific to deployment I'm working on):
header forward: <property as="xs:string" name="oxf.http.forward-headers" value="JWT_AUTH JWT-permissions"/>
cookie forward: <property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID JWT_AUTH_COOKIE"/>
Ok content for cookie JSESSIONID is when <sessionId>.<route> is present.
First scenario - reading and saving Orbeon Builder form:
(Preflight Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/form/form.xhtml - Received request
Request METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - OK for headers, OK for cookies
(Reading Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - OK for headers, OK for cookies
(Reading Orbeon Builder global library)
Orbeon-log: /fr/service/persistence/form/orbeon/library - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/orbeon/library/form/form.xhtml - OK for headers, OK for cookies
(Reading Orbeon Builder form library)
Orbeon-log: /fr/service/persistence/form/servicetypetest/library - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/servicetypetest/library/form/form.xhtml - OK for headers, OK for cookies
(Preflight Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
Request METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- only JSESSIONID cookie is present and is missing cluster identificator (.<route> part)
- OK for headers
(Save Orbeon Builder form)
Orbeon-log: /fr/service/resource/form/orbeon/builder - Received request
Request METHOD: PUT
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- twice cookie of value JSESSIONID is present and one is missing cluster identificator (.<route> part), second JSESSIONID is OKAY (from reading cookie-header directly)
- OK for headers
Second scenario - finding, reading Published form:
(Requesting published forms list)
Orbeon-log: /fr/service/resource/form - Received request
Request METHOD: GET
Request URL: <persistence-service>/form - OK for headers, OK for cookies
<<<Enters some published form version lists>>>
(This one is retrieving all the versions of selected published form)
Orbeon-log: /fr/service/persistence/form/servicetypetest/testing - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/servicetypetest/testing - OK for headers, OK for cookies
(Not sure why it's already trying to retrieve latest published form, maybe to simply check existence, anyway outside of scope of the problem and forwarding works here)
Orbeon-log: /fr/service/persistence/crud/servicetypetest/testing/form/form.xhtml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/servicetypetest/testing/form/form.xhtml - OK for headers, OK for cookies
(Another search goes https://doc.orbeon.com/form-runner/api/persistence/forms-metadata#purpose <- im guessing it's that, forwarding is okay here)
Orbeon-log: /fr/service/persistence/search/servicetypetest/testing - Received request
Request METHOD: POST
Request URL: <persistence-service>/search/servicetypetest/testing - OK for headers, OK for cookies
<<<Opens new published form>>>
(Again we go for latest published form)
Orbeon-log: /fr/service/persistence/crud/servicetypetest/testing/form/form.xhtml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/servicetypetest/testing/form/form.xhtml - OK for headers, OK for cookies
Third scenario - listing, reading and saving Orbeon Builder form (configuration no longer has forward cookie on JSESSIONID):
configuration inside properties-local.xml (some custom JWT related cookies specific to deployment I'm working on):
header forward: <property as="xs:string" name="oxf.http.forward-headers" value="JWT_AUTH JWT-permissions"/>
cookie forward: <property as="xs:string" name="oxf.http.forward-cookies" value="JWT_AUTH_COOKIE"/>
(Searching and listing builder forms)
Orbeon-log: /fr/service/persistence/search/orbeon/builder - Received request
Request METHOD: POST
Request URL: <persistence-service>/search/orbeon/builder
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is missing
(Preflight for saving builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is missing
(Saving builder form)
Orbeon-log: /fr/service/resource/form/orbeon/builder - Received request
Request METHOD: PUT
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is okay
Sorry for avalanche of problems earlier, now there is one extra issue and I have some diagnostic data that might help You fix this one up as it is quite close to be working (it works okay in most places).
The thing in question is cookie forwarding toward external persistence API.
And I guess You had this problem earlier at:
https://github.com/orbeon/orbeon-forms/issues/7066
As I discovered this problem in orbeon2023.1-ce and I can't currently confirm it's in version 2025 (but I'm assuming it still is since ticket is open) I'm not opening a new ticket, I'll just comment on old one.
Btw running Orbeon on Wildfly.
Currently found workaround on by using header forwarding.
Changing order of the cookie forwarding names also breaks logic and forwarding cookie-header in header forwarding also ended tragically.
I'm assuming it might be related to the handing in Connection.scala class.
TL;DR - problem is in some places but other places work fine, sometimes JSESSIONID is ommited (HEAD methods), sometimes present, logic is botched when cookie names list changes order or JSESSIONID is not first cookie forward or cookie header is forwarded as header itself.
Below is presented diagnostic data that allowed me to pinpoint some of the problems with cookies forwarding.
configuration inside properties-local.xml (some custom JWT related cookies specific to deployment I'm working on):
header forward: <property as="xs:string" name="oxf.http.forward-headers" value="JWT_AUTH JWT-permissions"/>
cookie forward: <property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID JWT_AUTH_COOKIE"/>
Ok content for cookie JSESSIONID is when <sessionId>.<route> is present.
First scenario - reading and saving Orbeon Builder form:
(Preflight Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/form/form.xhtml - Received request
Request METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - OK for headers, OK for cookies
(Reading Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - OK for headers, OK for cookies
(Reading Orbeon Builder global library)
Orbeon-log: /fr/service/persistence/form/orbeon/library - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/orbeon/library/form/form.xhtml - OK for headers, OK for cookies
(Reading Orbeon Builder form library)
Orbeon-log: /fr/service/persistence/form/servicetypetest/library - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/servicetypetest/library/form/form.xhtml - OK for headers, OK for cookies
(Preflight Orbeon Builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
Request METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- only JSESSIONID cookie is present and is missing cluster identificator (.<route> part)
- OK for headers
(Save Orbeon Builder form)
Orbeon-log: /fr/service/resource/form/orbeon/builder - Received request
Request METHOD: PUT
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- twice cookie of value JSESSIONID is present and one is missing cluster identificator (.<route> part), second JSESSIONID is OKAY (from reading cookie-header directly)
- OK for headers
Second scenario - finding, reading Published form:
(Requesting published forms list)
Orbeon-log: /fr/service/resource/form - Received request
Request METHOD: GET
Request URL: <persistence-service>/form - OK for headers, OK for cookies
<<<Enters some published form version lists>>>
(This one is retrieving all the versions of selected published form)
Orbeon-log: /fr/service/persistence/form/servicetypetest/testing - Received request
Request METHOD: GET
Request URL: <persistence-service>/form/servicetypetest/testing - OK for headers, OK for cookies
(Not sure why it's already trying to retrieve latest published form, maybe to simply check existence, anyway outside of scope of the problem and forwarding works here)
Orbeon-log: /fr/service/persistence/crud/servicetypetest/testing/form/form.xhtml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/servicetypetest/testing/form/form.xhtml - OK for headers, OK for cookies
(Another search goes https://doc.orbeon.com/form-runner/api/persistence/forms-metadata#purpose <- im guessing it's that, forwarding is okay here)
Orbeon-log: /fr/service/persistence/search/servicetypetest/testing - Received request
Request METHOD: POST
Request URL: <persistence-service>/search/servicetypetest/testing - OK for headers, OK for cookies
<<<Opens new published form>>>
(Again we go for latest published form)
Orbeon-log: /fr/service/persistence/crud/servicetypetest/testing/form/form.xhtml - Received request
Request METHOD: GET
Request URL: <persistence-service>/crud/servicetypetest/testing/form/form.xhtml - OK for headers, OK for cookies
Third scenario - listing, reading and saving Orbeon Builder form (configuration no longer has forward cookie on JSESSIONID):
configuration inside properties-local.xml (some custom JWT related cookies specific to deployment I'm working on):
header forward: <property as="xs:string" name="oxf.http.forward-headers" value="JWT_AUTH JWT-permissions"/>
cookie forward: <property as="xs:string" name="oxf.http.forward-cookies" value="JWT_AUTH_COOKIE"/>
(Searching and listing builder forms)
Orbeon-log: /fr/service/persistence/search/orbeon/builder - Received request
Request METHOD: POST
Request URL: <persistence-service>/search/orbeon/builder
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is missing
(Preflight for saving builder form)
Orbeon-log: /fr/service/persistence/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml - Received request
METHOD: HEAD
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is missing
(Saving builder form)
Orbeon-log: /fr/service/resource/form/orbeon/builder - Received request
Request METHOD: PUT
Request URL: <persistence-service>/crud/orbeon/builder/data/a45db923782f58b5b1a759f5a00e429592fc039a/data.xml
- OK for headers
- sessionId is written into JWT_AUTH_COOKIE and is missing cluster information (.<route> part), JSESSIONID is okay
Reply all
Reply to author
Forward
0 new messages