Fix Cookie Attributes on Sticky Session Refresh

[hoffmaen]

• Read the Contributing document.

Summary

When an application sets a partitioned JSESSIONID cookie, Gorouter sets a matching partitioned __VCAP_ID__ cookie. However, when a subsequent request references a stale application instance and the new instance does not respond with a new JSESSIONID cookie, Gorouter had no way of knowing whether the client's existing __VCAP_ID__ was partitioned — since cookie attributes are never transmitted from the client to the server. As a result, Gorouter always created a new unpartitioned __VCAP_ID__ cookie in this case, leaving the client with both an orphaned partitioned and a new unpartitioned __VCAP_ID__ cookie. This broke sticky session routing for partitioned cookies, as browsers such as Chrome would prefer the stale partitioned cookie over the new unpartitioned one.

This Pull Request introduces a new metadata cookie, __VCAP_ID_META__, which Gorouter sets alongside __VCAP_ID__ whenever it creates a sticky session (i.e. the application responds with a matching session cookie such as JSESSIONID). The metadata cookie encodes all relevant __VCAP_ID__ attributes — Partitioned, Secure, SameSite, and Expiry — as a compact &-separated key=value string (e.g. expiry=1748001600&secure=1&samesite=none&partitioned=1). In the stale instance scenario, when the new instance does not set a new JSESSIONID cookie, Gorouter reads __VCAP_ID_META__ from the incoming request and reconstructs the refreshed __VCAP_ID__ with the original attributes preserved.

The expiry lifetime is stored as an absolute Unix timestamp rather than a relative Max-Age value. This ensures that a stale instance refresh does not silently extend the user's session: the refreshed __VCAP_ID__ receives an Expires header set to the original absolute point in time, so the remaining session lifetime is preserved exactly.

__VCAP_ID_META__ is issued with the same attributes (Secure, SameSite, Partitioned, Expiry) as __VCAP_ID__ itself, so the two cookies co-expire and share the same security constraints.

Closes #529 (Problem 1).

Backward Compatibility

Breaking Change? No
All clients that use sticky sessions will now additionally receive the __VCAP_ID_META__ cookie alongside __VCAP_ID__. This is a net improvement: without it, sticky session routing for partitioned cookies in the stale instance scenario was already broken, and attributes such as Secure and SameSite were not preserved on refresh for any client. Clients that do not use sticky sessions are entirely unaffected.

[maxmoehl]

I have some concerns when it comes to adding a second cookie:

1. Yet another cookie which has to be correlated, can be duplicated, etc. Based on your description the meta cookie encodes its own attributes, that would at least allow gorouter to clear it. But if you suddenly have two of those but one regular VCAP cookie it gets weird again.¹
2. This is a bit more vague but there might be environments in which cookies are tracked to some extent and a new cookie could cause confusion / issues.

I'd prefer if we could evolve the format of the __VCAP_ID__ cookie instead:

• Add a feature flag for vcap_id_cookie_v2 which takes the values disabled (default), accept, and emit.
• On disabled nothing changes, gorouter behaves as before.
• On accept gorouter tries to detect the new format and parse it, falling back to the current format if that fails.
• On emit it starts setting the VCAP_ID cookie according to the new format.
• Add version=2 and value=$value to the cookie value.

All names are for illustration purposes only.

Footnotes

1. Yes, I know, you can then just clear both. It still adds complexity. ↩

[hoffmaen]

I have some concerns when it comes to adding a second cookie:

1. Yet another cookie which has to be correlated, can be duplicated, etc. Based on your description the meta cookie encodes its own attributes, that would at least allow gorouter to clear it. But if you suddenly have two of those but one regular VCAP cookie it gets weird again.[1](#user-content-fn-1-7ae6470452031de3247e0828ab074f13)

2. This is a bit more vague but there might be environments in which cookies are tracked to some extent and a new cookie could cause confusion / issues.

I'd prefer if we could evolve the format of the __VCAP_ID__ cookie instead:

* Add a feature flag for `vcap_id_cookie_v2` which takes the values `disabled` (default), `accept`, and `emit`.

* On `disabled` nothing changes, gorouter behaves as before.

* On `accept` gorouter tries to detect the new format and parse it, falling back to the current format if that fails.

* On `emit` it starts setting the VCAP_ID cookie according to the new format.

* Add `version=2` and `value=$value` to the cookie value.

All names are for illustration purposes only.

Footnotes

1. Yes, I know, you can then just clear both. It still adds complexity. [↩](#user-content-fnref-1-7ae6470452031de3247e0828ab074f13)

I appreciate the idea, but I see a few drawbacks here:

1. Introducing a feature-flag, and then releasing the features in two phases means an additional delay to the rollout of the fix.
2. We do not know if anyone relies on the format of the __VCAP_ID__ cookie as it is - it only stores the App Instance GUID. Changing the format is a breaking change.
3. I don't like introducing a feature flag for a thing that is not a feature - to me, this is a bug fix.

[a18e]

A comment to explain the early return like "Sticky Session already established previously, nothing more to do" would be nice.

[a18e]

How about

Suggested change

	type stickySessionCase int
	type stickySessionScenario int

Also: With the new simplified structure I'm not sure if we need it at all...

[a18e]

Maybe this (or sth similar) makes the scenario more clear?

Suggested change

	sessionCookieInAppResponse
	newStickySessionRequested

[a18e]

I know why we did this (to avoid the "stickySessionStaleInstance is always true" thing right?).
But a bit more information for others might be helpful.

[a18e]

Suggested change

	// Create sticky session with default cookie attributes
	// Create VCAP_ID cookie with default cookie attributes

[a18e]

Hey, since we're only setting this in the case sessionCookieInAppResponse, why not set it there directly and save ourselves the var createMetaCookie?

Edit: Because we would have to specify if secureCookies {vcapCookie.Secure = true} twice
Edit2: But we could just doo ....Secure = vcapCookie.Secure || secureCookies

[hoffmaen]

Setting attributes in one place, and adding cookies in another keeps the code structure clean. I think this is a legitimate reason to keep the few extra lines.

[a18e]

Suggested change

	func getSessionCookiesFromResponse(response *http.Response, stickySessionCookieNames config.StringSet) (sessionCookie *http.Cookie , vcapIdCookie *http.Cookie) {
	func getSessionCookies(response *http.Response, stickySessionCookieNames config.StringSet) (sessionCookie *http.Cookie , vcapIdCookie *http.Cookie) {

[a18e]

Could we use some other kind of serialization that doesn't involve manual rules?

Option A: Intermediate JSON struct — keep vcapAttributes as-is, marshal/unmarshal via a separate vcapAttributesJSON with string fields and JSON tags. Simple, no custom marshaler needed.
Option B: JSON tags + custom marshaler on vcapAttributes — add MarshalJSON/UnmarshalJSON to vcapAttributes. More self-contained but more boilerplate.

Would probably be less performant though

binary serialization (e.g. encoding/gob, protobuf, msgpack) would be faster and more compact than JSON, but you'd still be slower than the current url.Values approach for a payload this small.

[a18e]

As discussed: We'll leave it as is, but will consider adding valueless params for booleans (e.g. if params.Get("secure") { metaAttributesFromCookie.secure = true }

[a18e]

Comment: point to global config value and that it overrides the per-cookie prefernce

[a18e]

Add comment that we expect to see these logs during the migration to the new cookie handling, but not after?