Bug 1095242

Summary: do not use com.google.gwt.user.client.Cookies in ReportModel
Product: [Retired] oVirt Reporter: Alon Bar-Lev <alonbl>
Component: ovirt-engine-webadminAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: awels, bugs, ecohen, gklein, iheim, mgoldboi, rbalakri, vszocs, yeylon
Target Milestone: ---Keywords: CodeChange
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.5.0-alpha2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:40:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1077450    

Description Alon Bar-Lev 2014-05-07 10:53:01 UTC 
We are to move usage of cookies to be marked as HttpOnly.

Getting cookies at client side is forbidden.

One solution is to add a service at /ovirt-engine/services to get the cookie if actually required.

May be other solutions as well.
Comment 1 Oved Ourfali 2014-05-07 10:54:48 UTC 
Vojtech - don't we have the session ID somewhere else in the client context?
Comment 2 Vojtech Szocs 2014-05-14 17:34:16 UTC 
(In reply to Oved Ourfali from comment #1)
> Vojtech - don't we have the session ID somewhere else in the client context?

In general, GWT client code is agnostic (unaware) of the application's (WebAdmin/UserPortal) session, represented by the JSESSIONID cookie. Browser takes care of cookie handling and server takes care of cookie -> HttpSession association, so GWT client code has no real reason to access the session ID.

One exception to above rule is ReportModel and ReportsListModel, both of which have:

  String sessionID = Cookies.getCookie("JSESSIONID");

ReportModel and ReportsListModel execute in WebAdmin context so above statement attempts to access JSESSIONID cookie set for path /ovirt-engine/webadmin, which will fail in case the cookie is marked as HttpOnly.

Aside from that, in WebAdmin, we read REST application's session ID via _response header_ (named 'JSESSIONID') and not via cookie, since WebAdmin code at path /ovirt-engine/webadmin cannot access cookie for path /ovirt-engine/api anyway.

So fixing ReportModel and ReportsListModel should be enough to make HttpOnly cookie flag work for WebAdmin/UserPortal applications.
Comment 3 Sandro Bonazzola 2014-10-17 12:40:14 UTC 
oVirt 3.5 has been released and should include the fix for this issue.