feat: Support __Host- prefixed session cookies for sticky sessions#549
Open
hoffmaen wants to merge 3 commits intocloudfoundry:developfrom
Open
feat: Support __Host- prefixed session cookies for sticky sessions#549hoffmaen wants to merge 3 commits intocloudfoundry:developfrom
hoffmaen wants to merge 3 commits intocloudfoundry:developfrom
Conversation
cf-foundation-community-automation
bot
moved this to Inbox
in Application Runtime Platform Working Group
a18e
reviewed
Apr 10, 2026
| <img src="images/sticky_sessions_chips_migration.png" alt="Sticky Sessions - CHIPS migration sequence" width="800"> | ||
|
|
||
| ### Does Gorouter support `__Host-` prefixed session cookies? | ||
| Yes. [RFC 6265bis](https://www.rfc-editor.org/rfc/draft-ietf-httpbis-rfc6265bis-19.html#name-the-__host-prefix) defines |
Contributor
There was a problem hiding this comment.
This link seems broken search doesn't return anything, how about https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/ ?
(though that one will probably also change once it's no longer draft)
| Note: if an application were to set a new `__Host-JSESSIONID` alongside a delete (`Max-Age=0`) for | ||
| the old `JSESSIONID` in the same response, both would produce a `__VCAP_ID__` in the same cookie | ||
| jar partition. Depending on processing order, the browser could apply the delete `__VCAP_ID__` | ||
| after the new one, effectively removing it. |
Contributor
There was a problem hiding this comment.
Maybe add what this actually means for a developer, e.g. "This could mean breaking session stickyness for the time of migration from JSESSIONID to _Host-...?"
Comment on lines
+94
to
+97
| name := c.Name | ||
| if strings.HasPrefix(name, "__Host-") { | ||
| name = name[7:] | ||
| } |
Contributor
There was a problem hiding this comment.
Suggested change
| name := c.Name | |
| if strings.HasPrefix(name, "__Host-") { | |
| name = name[7:] | |
| } | |
| name := strings.TrimPrefix(c.Name, "__Host-") |
Wouldn't this be simpler? see also below
Comment on lines
+600
to
+619
| if IsSessionCookie(cookie.Name, stickySessionCookieNames) { | ||
| sessionCookies = append(sessionCookies, cookie) | ||
| } | ||
| } | ||
| return sessionCookies, nil | ||
| } | ||
|
|
||
| // IsSessionCookie reports whether cookieName matches a configured sticky session cookie name, | ||
| // either directly or after stripping the "__Host-" prefix (RFC 6265bis). | ||
| func IsSessionCookie(cookieName string, stickySessionCookieNames config.StringSet) bool { | ||
| if _, ok := stickySessionCookieNames[cookieName]; ok { | ||
| return true | ||
| } | ||
| if strings.HasPrefix(cookieName, "__Host-") { | ||
| _, ok := stickySessionCookieNames[cookieName[7:]] | ||
| return ok | ||
| } | ||
| return false | ||
| } | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| if IsSessionCookie(cookie.Name, stickySessionCookieNames) { | |
| sessionCookies = append(sessionCookies, cookie) | |
| } | |
| } | |
| return sessionCookies, nil | |
| } | |
| // IsSessionCookie reports whether cookieName matches a configured sticky session cookie name, | |
| // either directly or after stripping the "__Host-" prefix (RFC 6265bis). | |
| func IsSessionCookie(cookieName string, stickySessionCookieNames config.StringSet) bool { | |
| if _, ok := stickySessionCookieNames[cookieName]; ok { | |
| return true | |
| } | |
| if strings.HasPrefix(cookieName, "__Host-") { | |
| _, ok := stickySessionCookieNames[cookieName[7:]] | |
| return ok | |
| } | |
| return false | |
| } | |
| // also match __Host- prefix | |
| name := strings.TrimPrefix(cookie.Name, "__Host-") | |
| if _, ok := stickySessionCookieNames[name]; ok { | |
| sessionCookies = append(sessionCookies, cookie) | |
| } | |
| } | |
| return sessionCookies, nil | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
__Host--prefixed variants of configured sticky session cookie names (e.g.__Host-JSESSIONID), both in application responses and client requests__Host-) per RFC 6265bis, which mandates this canonical casing for user agents — no case-insensitive matching needed__Host-prefix is handled automatically for every name inrouter.sticky_session_cookie_namesMotivation
The
__Host-cookie prefix ensures that session cookies are bound to the exact origin host and are never sent to subdomains, preventing session cookie leakage to other applications on shared domains. This prefix also enforces that cookies are only set over HTTPS, without aDomainattribute, and withPath=/— supporting it in gorouter's sticky session handling allows applications to leverage these stricter security guarantees while retaining session affinity.Backward Compatibility
Breaking Change? No
Note on AI usage
Parts of this code and tests were developed with assistance from Claude Code (claude-opus-4-20250514).