Skip to content

feat: Support __Host- prefixed session cookies for sticky sessions#549

Merged
hoffmaen merged 3 commits intocloudfoundry:developfrom
sap-contributions:host-cookie
Apr 13, 2026
Merged

feat: Support __Host- prefixed session cookies for sticky sessions#549
hoffmaen merged 3 commits intocloudfoundry:developfrom
sap-contributions:host-cookie

Conversation

@hoffmaen
Copy link
Copy Markdown
Contributor

@hoffmaen hoffmaen commented Mar 31, 2026

Summary

  • Gorouter now recognises __Host--prefixed variants of configured sticky session cookie names (e.g. __Host-JSESSIONID), both in application responses and client requests
  • Uses exact prefix matching (__Host-) per RFC 6265bis, which mandates this canonical casing for user agents — no case-insensitive matching needed
  • No additional configuration required; the __Host- prefix is handled automatically for every name in router.sticky_session_cookie_names

Motivation

The __Host- cookie prefix ensures that session cookies are bound to the exact origin host and are never sent to subdomains, preventing session cookie leakage to other applications on shared domains. This prefix also enforces that cookies are only set over HTTPS, without a Domain attribute, and with Path=/ — supporting it in gorouter's sticky session handling allows applications to leverage these stricter security guarantees while retaining session affinity.

Backward Compatibility

Breaking Change? No

Note on AI usage

Parts of this code and tests were developed with assistance from Claude Code (claude-opus-4-20250514).

Comment thread docs/03-how-to-use-session-affinity.md Outdated
Comment thread docs/03-how-to-use-session-affinity.md Outdated
Comment thread src/code.cloudfoundry.org/gorouter/handlers/helpers.go Outdated
Copy link
Copy Markdown
Contributor

@a18e a18e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Application Runtime Platform Working Group Apr 13, 2026
@hoffmaen hoffmaen merged commit ecde9d4 into cloudfoundry:develop Apr 13, 2026
1 check passed
@github-project-automation github-project-automation bot moved this from Pending Merge | Prioritized to Done in Application Runtime Platform Working Group Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

2 participants