Skip to content

feat: Support __Host- prefixed session cookies for sticky sessions#549

Merged
hoffmaen merged 3 commits intocloudfoundry:developfrom
sap-contributions:host-cookie
Apr 13, 2026
Merged

feat: Support __Host- prefixed session cookies for sticky sessions#549
hoffmaen merged 3 commits intocloudfoundry:developfrom
sap-contributions:host-cookie

Conversation

@hoffmaen
Copy link
Copy Markdown
Contributor

@hoffmaen hoffmaen commented Mar 31, 2026
edited
Loading

Summary

  • Gorouter now recognises __Host--prefixed variants of configured sticky session cookie names (e.g. __Host-JSESSIONID), both in application responses and client requests
  • Uses exact prefix matching (__Host-) per RFC 6265bis, which mandates this canonical casing for user agents — no case-insensitive matching needed
  • No additional configuration required; the __Host- prefix is handled automatically for every name in router.sticky_session_cookie_names

Motivation

The __Host- cookie prefix ensures that session cookies are bound to the exact origin host and are never sent to subdomains, preventing session cookie leakage to other applications on shared domains. This prefix also enforces that cookies are only set over HTTPS, without a Domain attribute, and with Path=/ — supporting it in gorouter's sticky session handling allows applications to leverage these stricter security guarantees while retaining session affinity.

Backward Compatibility

Breaking Change? No

Note on AI usage

Parts of this code and tests were developed with assistance from Claude Code (claude-opus-4-20250514).

@hoffmaen hoffmaen marked this pull request as ready for review April 8, 2026 12:24
@hoffmaen hoffmaen requested a review from a team as a code owner April 8, 2026 12:24
a18e
a18e reviewed Apr 10, 2026
View reviewed changes
Comment thread docs/03-how-to-use-session-affinity.md Outdated
Comment thread docs/03-how-to-use-session-affinity.md Outdated
Comment thread src/code.cloudfoundry.org/gorouter/handlers/helpers.go Outdated
Comment thread src/code.cloudfoundry.org/gorouter/proxy/round_tripper/proxy_round_tripper.go
@hoffmaen hoffmaen requested a review from a18e April 13, 2026 13:15
a18e
a18e approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@a18e a18e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Application Runtime Platform Working Group Apr 13, 2026
@hoffmaen hoffmaen merged commit ecde9d4 into cloudfoundry:develop Apr 13, 2026
1 check passed
@github-project-automation github-project-automation bot moved this from Pending Merge | Prioritized to Done in Application Runtime Platform Working Group Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a18e a18e a18e approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Application Runtime Platform Working Group
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hoffmaen @a18e