Is there any Jersey client setting that would allow resending of cookies with a redirect?

Question

I am using Jersey 2.17. I want to implement the following scenario on client side:

1. my Jersey client sends a request to a certain URL;

2. the server will return me a HTTP 301 with a Set-Cookie: abc=def header (this is given, we don't have to worry about it);

3. my Jersey client follows the redirect;

4. my Jersey client sets the abc=def cookie in the second request (to the redirect target).

Redirection works fine, so step 3 is not a concern. What I don't know is if the cookie handling is possible, as I need it. Does anybody know for sure?

Answer 1

If the cookie domain is the same as the redirected URL's domain, then the cookie does not need to be sent again, so long as the client accepts and respects the first Set-Cookie.

If the domains are not the same, this sounds like a security risk: cookies are deliberately scoped to a specific domain (or set of domains) and to expose a cookie outside of that would risk leaking potentially-sensitive information. So cookies should not be re-transmitted on a redirect across domains.