I see a lot of below mentioned messages in the app-ca.log -
WARN 2015-08-04 07:47:27,942 [ZZZZ] protocol.ResponseProcessCookies (clarity:XXXX:*********:none) Invalid cookie header: "Set-Cookie: userLocale=en_US;secure;Expires=Wed,;secure; 5-Aug-2015 14:47:27;secure; GMT;Secure;HttpOnly". Unable to parse expires attribute: Wed,
What would be the reason for this ?
Also, have seen security pop up when downloading from Advanced Reporting (Jaspersoft). If I click on Cancel it goes away and the Excel spreadsheet loads fine. You do not get it when downloading PDF, only an editable file.
Has anyone experienced this ?
This looks lke the header mismatch, can you please provide steps to reproduce and I will test and revert back.
It looks like a tokenization issue. The comma in the date is being seen as a delimiter and the ;secure; cookie directive is being injected into the middle of the value accidentally.
What's your exact patch and version number of Clarity? Also can you confirm your secure cookie settings on the application properties tab of the CSA (and if enabled, see if the warnings disappear when they are disabled as a test if possible)?
The options in the CSA for Use Secure Session Cookie and Use HTTP Session Cookie are responsible for the piece at the end of the line where it says ";Secure;HttpOnly".
I haven't seen anywhere where we add the ";secure;" keyword into individual parts of the cookie after each token, but that doesn't mean it doesn't happen somewhere (given that it seems to be complaining in the app-ca.log when this cookie set directive is being added to the response, maybe it does).
I also couldn't find where we would set a cookie with the userLocale key/value and an expiry date associated with it (I went through advanced reporting and exporting to excel as part of that coverage too), but somewhere within Jaspersoft / Advanced Reporting is most likely based on some test cases I saw.
Maybe we can learn more about that in time, however for the meantime if it is preferred to suppress this message in some places (e.g. for production environments) then you may want to add a logger category name of org.apache.http.client.protocol or org.apache.http.client.protocol.ResponseProcessCookies and set it to ERROR level. Lacking an environment I can currently reproduce this on, I'm taking a small leap of faith that those log changes will work, but based on what I was seeing here it seemed it would: http://stackoverflow.com/questions/3248528/how-do-i-turn-off-warning-messages-in-httpclient-for-log4j
Also are you seeing this with other cookies being set or only the examples of userLocale / Expires combinations?
Also, this is an on-demand environment
Hi NJ - We're you able to make any progress with this?