Adress review comments

hoffmaen · hoffmaen · commit 5bb8bb48d50a · 2026-04-10T16:31:35.000+02:00
diff --git a/docs/03-how-to-use-session-affinity.md b/docs/03-how-to-use-session-affinity.md
@@ -107,7 +107,7 @@ for the old non-partitioned `__VCAP_ID__` cookie alongside the new partitioned o
 <img src="images/sticky_sessions_chips_migration.png" alt="Sticky Sessions - CHIPS migration sequence" width="800">
 
 ### Does Gorouter support `__Host-` prefixed session cookies?
-Yes. [RFC 6265bis](https://www.rfc-editor.org/rfc/draft-ietf-httpbis-rfc6265bis-19.html#name-the-__host-prefix) defines
+Yes. [RFC 6265bis](https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/) defines
 the `__Host-` cookie prefix, which instructs browsers to enforce additional security constraints
 (the cookie must be `Secure`, must not specify a `Domain`, and the `Path` must be `/`).
 
@@ -135,7 +135,8 @@ browser's jar, the expected migration path is for the application to simply stop
 Note: if an application were to set a new `__Host-JSESSIONID` alongside a delete (`Max-Age=0`) for
 the old `JSESSIONID` in the same response, both would produce a `__VCAP_ID__` in the same cookie
 jar partition. Depending on processing order, the browser could apply the delete `__VCAP_ID__`
-after the new one, effectively removing it.
+after the new one, effectively removing it. Developers should therefore avoid setting both cookies
+in the same response to prevent temporarily losing session stickiness.
 
 ### What happens if only one of `JSESSIONID` or `__VCAP_ID__` cookies is set on a request?
 Gorouter requires both `JSESSIONID` and `__VCAP_ID__` to be present for sticky session routing.
diff --git a/src/code.cloudfoundry.org/gorouter/handlers/helpers.go b/src/code.cloudfoundry.org/gorouter/handlers/helpers.go
@@ -91,10 +91,7 @@ func GetStickySession(request *http.Request, stickySessionCookieNames config.Str
 	// Try choosing a backend using sticky session.
 	// Also match the "__Host-" prefixed variant of each configured cookie name (RFC 6265bis).
 	for _, c := range request.Cookies() {
-		name := c.Name
-		if strings.HasPrefix(name, "__Host-") {
-			name = name[7:]
-		}
+		name := strings.TrimPrefix(c.Name, "__Host-")
 		if _, ok := stickySessionCookieNames[name]; ok {
 			if sticky, err := request.Cookie(VcapCookieId); err == nil {
 				return sticky.Value, false
diff --git a/src/code.cloudfoundry.org/gorouter/proxy/round_tripper/proxy_round_tripper.go b/src/code.cloudfoundry.org/gorouter/proxy/round_tripper/proxy_round_tripper.go
@@ -607,14 +607,9 @@ func getSessionCookies(response *http.Response, stickySessionCookieNames config.
 // IsSessionCookie reports whether cookieName matches a configured sticky session cookie name,
 // either directly or after stripping the "__Host-" prefix (RFC 6265bis).
 func IsSessionCookie(cookieName string, stickySessionCookieNames config.StringSet) bool {
-	if _, ok := stickySessionCookieNames[cookieName]; ok {
-		return true
-	}
-	if strings.HasPrefix(cookieName, "__Host-") {
-		_, ok := stickySessionCookieNames[cookieName[7:]]
-		return ok
-	}
-	return false
+	name := strings.TrimPrefix(cookieName, "__Host-")
+	_, ok := stickySessionCookieNames[name]
+	return ok
 }
 
 // getAttributesFromMetaCookie returns the __VCAP_ID_META__ cookie from the request cookies, when it exists
