Do not update VCAP_ID cookie without JSESSIONID cookie#531
Draft
hoffmaen wants to merge 2 commits intocloudfoundry:developfrom
Draft
Do not update VCAP_ID cookie without JSESSIONID cookie#531hoffmaen wants to merge 2 commits intocloudfoundry:developfrom
hoffmaen wants to merge 2 commits intocloudfoundry:developfrom
Conversation
cf-foundation-community-automation
bot
moved this to Inbox
in Application Runtime Platform Working Group
hoffmaen
force-pushed
the
no-vcap-update
branch
from
53ca3bd to
7e938e9
Compare
b1tamara
reviewed
Feb 25, 2026
hoffmaen
force-pushed
the
no-vcap-update
branch
from
06002c8 to
8e6e709
Compare
github-project-automation
bot
moved this from Inbox
to Pending Merge | Prioritized
in Application Runtime Platform Working Group
Contributor
Author
|
Putting this back to Draft status, to align of broken scenarios. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This Pull-Request fixes Problem 1 in #529.
This Pull-Request fixes an issue where Gorouter was creating an unpartitioned
__VCAP_ID__cookie when a client's original sticky session endpoint became unavailable and the backend response didn't contain aJSESSIONIDcookie. The previous behavior would set a new__VCAP_ID__cookie with default attributes whenever the endpoint changed, regardless of whether the application intended to establish a new session. With this change, Gorouter only sets the__VCAP_ID__cookie when the backend response explicitly contains aJSESSIONIDcookie or WWW-Authenticate Negotiate header, ensuring that cookie attributes remain synchronized and applications maintain full control over session lifecycle.Backward Compatibility
Breaking Change? Yes (but more of a bugfix)
This Pull-Request changes the behavior of VCAP_ID cookie creation in a specific scenario: when a client sends both
JSESSIONIDand__VCAP_ID__cookies, the original endpoint is no longer available, and the backend response doesn't contain a new JSESSIONID cookie. Previously, Gorouter would create a new__VCAP_ID__cookie with default (unpartitioned) attributes in this case.With this change, Gorouter will not create a new
__VCAP_ID__cookie unless the backend explicitly sets aJSESSIONIDcookie in the response. This prevents cookie attribute desynchronization whereJSESSIONIDand__VCAP_ID__could have conflicting partitioning states. The previous behavior was problematic because applications lost control over the__VCAP_ID__cookie attributes (particularly when using partitioned cookies), as Gorouter would override them with unpartitioned defaults. This fix ensures applications can properly control cookie sandboxing throughJSESSIONIDattributes.